CVE-2021-46174: 
NixOS vulnerability analysis and mitigation

A Heap-based Buffer Overflow vulnerability was discovered in the bfd_getl32 function of GNU Binutils objdump version 3.37. The vulnerability was assigned CVE-2021-46174 and was publicly disclosed on August 22, 2023. This security flaw affects GNU Binutils versions up to (but not including) 2.38 (NVD).

The vulnerability is classified as a heap-based buffer overflow (CWE-787: Out-of-bounds Write) occurring in the bfd_getl32 function within Binutils objdump. The issue manifests when processing certain malformed ELF files, specifically when reading section stabs debugging information. The vulnerability received a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely without requiring privileges or user interaction (NVD).

The vulnerability can lead to a heap-based buffer overflow condition when processing malformed input files. When exploited, it primarily affects the availability of the system, as indicated by the CVSS scoring which shows high impact on availability but no direct impact on confidentiality or integrity (NVD).

The vulnerability was fixed in GNU Binutils version 2.38 through a patch that prevents reading past the end of sections when concatenating stab strings. The fix was implemented in both the mainline and 2.38 branch of the codebase. Users are advised to upgrade to Binutils version 2.38 or later to address this vulnerability (Sourceware Bugzilla).