CVE-2020-35496: Null Pointer Dereference
First published: Tue Dec 29 2020(Updated: )
GNU Binutils before 2.34 has a NULL pointer dereference in bfd_pef_scan_start_address function in bfd/pef.c due to not checking return value of bfd_malloc. This bug allows attackers to cause a denial of service. Reference: <a href="https://sourceware.org/bugzilla/show_bug.cgi?id=25308">https://sourceware.org/bugzilla/show_bug.cgi?id=25308</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/binutils | <2.34 | 2.34 |
| GNU Binutils | <2.34 | |
| Fedoraproject Fedora | =32 | |
| Netapp Cloud Backup | ||
| NetApp ONTAP Select Deploy administration utility | ||
| IBM Cloud Pak for Business Automation | ||
| Netapp Solidfire \& Hci Management Node | ||
| Broadcom Brocade Fabric Operating System Firmware | ||
| IBM Cloud Pak for Business Automation | ||
| Netapp Hci Compute Node |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1911444
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4KOK3QWSVOUJWJ54HVGIFWNLWQ5ZY4S6/
- https://security.gentoo.org/glsa/202107-24
- https://security.netapp.com/advisory/ntap-20210212-0007/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KOK3QWSVOUJWJ54HVGIFWNLWQ5ZY4S6/
- https://sourceware.org/bugzilla/show_bug.cgi?id=25308
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1911445
- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7a0fb7be96e0ce79e1ae429bc1ba913e5244d537
Frequently Asked Questions
What is CVE-2020-35496?
CVE-2020-35496 is a vulnerability in bfd_pef_scan_start_address() of bfd/pef.c in binutils, which could allow a crafted file processed by objdump to cause a NULL pointer dereference.
What is the severity of CVE-2020-35496?
The severity of CVE-2020-35496 is medium, with a severity value of 5.5.
Which software is affected by CVE-2020-35496?
The software affected by CVE-2020-35496 includes the binutils package version up to exclusive 2.34, GNU Binutils version up to exclusive 2.34, Fedora 32, Netapp Cloud Backup, NetApp ONTAP Select Deploy administration utility, Netapp Solidfire, Enterprise Sds & Hci Storage Node, Netapp Solidfire & Hci Management Node, Broadcom Brocade Fabric Operating System Firmware, and Netapp Hci Compute Node Firmware.
How can I fix the CVE-2020-35496 vulnerability?
To fix the CVE-2020-35496 vulnerability, you should update binutils to version 2.34 or later.
Where can I find more information about CVE-2020-35496?
You can find more information about CVE-2020-35496 at the following references: [1] [2] [3].
- agent/type
- agent/first-publish-date
- agent/severity
- agent/author
- agent/remedy
- agent/description
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-35496
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/tags
- agent/event
- vendor/gnu
- canonical/gnu binutils
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- vendor/netapp
- canonical/netapp cloud backup
- canonical/netapp ontap select deploy administration utility
- canonical/netapp solidfire\, enterprise sds \& hci storage node
- canonical/netapp solidfire \& hci management node
- vendor/broadcom
- canonical/broadcom brocade fabric operating system firmware
- canonical/netapp hci compute node firmware
- canonical/netapp hci compute node
- package-manager/redhat