Home / mailings [USN-7919-1] GNU binutils vulnerabilities
Posted on 10 December 2025
Ubuntu Security==========================================================================Ubuntu Security Notice USN-7919-1
December 10, 2025
binutils vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.10
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in GNU binutils.
Software Description:
- binutils: GNU assembler, linker and binary utilities
Details:
It was discovered that GNU binutils' dump_dwarf_section function could be
manipulated to perform an out-of-bounds read. A local attacker could
possibly use this issue to cause GNU binutils to crash, resulting in a
denial of service. This issue only affected Ubuntu 25.10. (CVE-2025-11081)
It was discovered that GNU binutils incorrectly handled certain files. A
local attacker could possibly use this issue to cause a crash or execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04
LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 25.10.
(CVE-2025-11082)
It was discovered that GNU binutils incorrectly handled certain inputs. A
local attacker could possibly use this issue to cause a crash or execute
arbitrary code. This issue was only fixed in Ubuntu 25.10.
(CVE-2025-11083)
It was discovered that certain GNU binutils functions could be manipulated
to perform out-of-bounds reads. A local attacker could possibly use this
issue to cause GNU binutils to crash, resulting in a denial of service.
(CVE-2025-11412, CVE-2025-11413, CVE-2025-11414)
It was discovered that GNU binutils' _bfd_x86_elf_late_size_sections
function could be manipulated to perform an out-of-bounds read. A local
attacker could possibly use this issue to cause GNU binutils to crash,
resulting in a denial of service. This issue only affected Ubuntu 18.04
LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, Ubuntu 25.04,
and Ubuntu 25.10. (CVE-2025-11494)
It was discovered that GNU binutils' elf_x86_64_relocate_section function
could be manipulated to cause a heap-based buffer overflow. A local
attacker could possibly use this issue to cause GNU binutils to crash,
resulting in a denial of service. This issue was only fixed in Ubuntu
25.04 and Ubuntu 25.10. (CVE-2025-11495)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.10
binutils 2.45-7ubuntu1.2
binutils-multiarch 2.45-7ubuntu1.2
Ubuntu 25.04
binutils 2.44-3ubuntu1.3
binutils-multiarch 2.44-3ubuntu1.3
Ubuntu 24.04 LTS
binutils 2.42-4ubuntu2.8
binutils-multiarch 2.42-4ubuntu2.8
Ubuntu 22.04 LTS
binutils 2.38-4ubuntu2.12
binutils-multiarch 2.38-4ubuntu2.12
Ubuntu 20.04 LTS
binutils 2.34-6ubuntu1.11+esm2
Available with Ubuntu Pro
binutils-multiarch 2.34-6ubuntu1.11+esm2
Available with Ubuntu Pro
Ubuntu 18.04 LTS
binutils 2.30-21ubuntu1~18.04.9+esm13
Available with Ubuntu Pro
binutils-multiarch 2.30-21ubuntu1~18.04.9+esm13
Available with Ubuntu Pro
Ubuntu 16.04 LTS
binutils 2.26.1-1ubuntu1~16.04.8+esm14
Available with Ubuntu Pro
binutils-multiarch 2.26.1-1ubuntu1~16.04.8+esm14
Available with Ubuntu Pro
Ubuntu 14.04 LTS
binutils 2.24-5ubuntu14.2+esm8
Available with Ubuntu Pro
binutils-multiarch 2.24-5ubuntu14.2+esm8
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7919-1
CVE-2025-11081, CVE-2025-11082, CVE-2025-11083, CVE-2025-11412,
CVE-2025-11413, CVE-2025-11414, CVE-2025-11494, CVE-2025-11495
Package Information:
https://launchpad.net/ubuntu/+source/binutils/2.45-7ubuntu1.2
https://launchpad.net/ubuntu/+source/binutils/2.44-3ubuntu1.3
https://launchpad.net/ubuntu/+source/binutils/2.42-4ubuntu2.8
https://launchpad.net/ubuntu/+source/binutils/2.38-4ubuntu2.12
--===============5375551431245395004==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
