CVE-2026-4647

EUVD-2026-14435
A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
gnubinutils
-
redhatopenshift_container_platform
4.0
redhatenterprise_linux
6.0
redhatenterprise_linux
7.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
binutils
bookworm
unimportant
bullseye
unimportant
forky
unimportant
sid
unimportant
trixie
unimportant
Azure Linux logo
Azure Linux Releases
Azure Package
Release
binutils
Azure Linux 3.0
0:2.41-11.azl3
fixed
crash
Azure Linux 3.0
0:9.0.0-2.azl3
fixed
gdb
Azure Linux 3.0
0:13.2-7.azl3
fixed
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2026-4647
https://bugzilla.redhat.com/show_bug.cgi?id=2450302
https://sourceware.org/bugzilla/show_bug.cgi?id=33919