Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66864

CVE-2025-66864: GNU Binutils DOS Vulnerability

CVE-2025-66864 is a denial of service vulnerability in GNU Binutils 2.26 affecting the d_print_comp_inner function in cp-demangle.c. Attackers can exploit this via crafted PE files. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-66864 Overview

CVE-2025-66864 is a denial of service vulnerability in GNU Binutils 2.26. The flaw resides in the d_print_comp_inner function within cp-demangle.c, a component used by tools such as c++filt to demangle C++ symbol names. Attackers can trigger the issue by supplying a crafted Portable Executable (PE) file. Processing the malformed input causes the demangler to crash, resulting in a denial of service condition against any application or workflow that relies on the affected Binutils tooling. The vulnerability is categorized under [CWE-20] Improper Input Validation.

Critical Impact

A remote attacker can crash Binutils-based tools by submitting a crafted PE file, disrupting build pipelines, malware analysis workflows, and automated binary processing systems.

Affected Products

  • GNU Binutils 2.26
  • Tools depending on cp-demangle.c (e.g., c++filt, nm, objdump)
  • Downstream distributions packaging the affected Binutils release

Discovery Timeline

  • 2025-12-29 - CVE-2025-66864 published to NVD
  • 2026-01-14 - Last updated in NVD database

Technical Details for CVE-2025-66864

Vulnerability Analysis

The vulnerability exists in the d_print_comp_inner routine of cp-demangle.c, which is part of the libiberty demangling library shared across GNU Binutils utilities. The demangler recursively walks parsed components of a mangled C++ symbol to reconstruct the original declaration. When the parser encounters malformed structures embedded inside a crafted PE file, d_print_comp_inner fails to validate component state before dereferencing or recursing, leading to a crash.

Because Binutils tools such as c++filt, nm, and objdump automatically invoke the demangler when listing symbols, any workflow that ingests untrusted binaries can be disrupted. This includes continuous integration pipelines, automated reverse engineering platforms, and binary analysis sandboxes.

Root Cause

The root cause is improper input validation [CWE-20] in d_print_comp_inner. The function does not sufficiently validate the structure or type of demangle components produced from attacker-controlled symbol data. Crafted input drives the recursive printer into an unsupported state, terminating the process.

Attack Vector

The attack vector is network-reachable in the sense that crafted PE files can be delivered through email, web downloads, package repositories, or shared analysis platforms. No authentication or user interaction is required beyond having the target invoke a Binutils tool against the malicious file. The impact is limited to availability — confidentiality and integrity are not affected.

No verified exploitation code is published. A proof-of-concept crash reproducer is referenced in the CRGF-Vul crash5 repository.

Detection Methods for CVE-2025-66864

Indicators of Compromise

  • Unexpected crashes or segmentation faults in c++filt, nm, objdump, or addr2line processes
  • Core dumps referencing d_print_comp_inner or cp-demangle.c in the stack trace
  • Build pipeline or analysis job failures correlated with ingestion of unknown PE files

Detection Strategies

  • Inventory hosts running GNU Binutils 2.26 using package manager queries such as dpkg -l binutils or rpm -q binutils
  • Monitor process telemetry for abnormal termination of demangler-invoking utilities on build servers and analyst workstations
  • Scan submitted PE samples in sandboxes with crash monitoring enabled to catch malformed symbol data before downstream tools process them

Monitoring Recommendations

  • Forward Binutils process exit codes and crash signals to centralized logging for trend analysis
  • Alert on repeated crashes of the same Binutils binary across multiple hosts, which may indicate a coordinated DoS attempt
  • Track file provenance for PE samples processed by automated pipelines to identify malicious submissions

How to Mitigate CVE-2025-66864

Immediate Actions Required

  • Upgrade GNU Binutils to a version later than 2.26 that includes input validation fixes for cp-demangle.c
  • Restrict automated demangling of untrusted PE binaries until patched versions are deployed
  • Isolate binary analysis workloads in sandboxed environments where a crash does not impact production services

Patch Information

No vendor advisory URL is published in the NVD entry. Administrators should track the GNU Binutils project for updated releases and apply distribution-provided security updates as they become available. Refer to the proof-of-concept reference to validate that updated builds no longer crash on the documented input.

Workarounds

  • Disable symbol demangling in tooling by passing --no-demangle to nm or objdump when processing untrusted binaries
  • Wrap Binutils invocations with process supervisors that contain crashes and prevent pipeline failure cascades
  • Pre-filter input files by validating PE structure before passing them to Binutils utilities
bash
# Configuration example: invoke Binutils with demangling disabled
nm --no-demangle suspicious.exe
objdump --no-demangle -t suspicious.exe

# Verify installed Binutils version
ld --version | head -n 1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.