CVE-2022-48064: 
NixOS vulnerability analysis and mitigation

GNU Binutils before version 2.40 contains an excessive memory consumption vulnerability (CVE-2022-48064) in the function bfddwarf2findnearestlinewithalt located in dwarf2.c. The vulnerability was discovered and disclosed in August 2023, affecting various systems and software that utilize GNU Binutils (NVD, CVE).

The vulnerability is characterized by excessive memory consumption in the bfddwarf2findnearestlinewithalt function within dwarf2.c. It has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The issue occurs when processing crafted ELF files, which can trigger uncontrolled memory allocation (NetApp Advisory, Sourceware Bugzilla).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition through excessive memory consumption. The attack requires local access and user interaction, but does not require privileges. The vulnerability affects the availability of the system while having no impact on confidentiality or integrity (NetApp Advisory).

The vulnerability has been fixed in GNU Binutils version 2.40 and later. The fix involves ignoring sections without SECHASCONTENTS in the finddebuginfo function. Various distributions have backported the fix, including Fedora 37, 38, and 39. The fix is implemented through the commit 8f2c64de86b in the binutils-gdb repository (Sourceware Bugzilla, Fedora Updates).