Malicious binary files can cause Binutils to freeze

Summary

Binutils, a tool used for binary file analysis, is vulnerable to a denial-of-service attack. An attacker can send a specially crafted binary file with incorrect debug information, causing Binutils to consume excessive resources and freeze. To protect against this, update to Binutils version 2.46 or later.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
canonical	binutils	All versions	–
canonical	binutils	All versions	–
canonical	binutils	All versions	–
canonical	binutils	All versions	–
canonical	binutils	All versions	–
canonical	binutils	All versions	–
canonical	binutils	All versions	–

Original title

An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handli...

Original description

An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file.

https://ubuntu.com/security/CVE-2025-69644 Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2025-69644 Third Party Advisory
https://sourceware.org/bugzilla/show_bug.cgi?id=33639 Third Party Advisory
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f348081... Third Party Advisory