CVE-2025-69651: GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service.
Overview
- Severity
- High (CVSS 7.1)
- CVSS Vector
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
- Exploit Status
- Not Exploited
- Patch Tuesday
- 2026-Mar
- Released
- 2026-03-11
- EPSS Score
- 0.02% (percentile: 3.6%)
Affected Products (2)
Open Source Software
- azl3 binutils 2.41-10 on Azure Linux 3.0
- cbl2 binutils 2.37-20 on CBL Mariner 2.0
Revision History
- 2026-03-11: Information published.