CVE-2025-1150: 
NixOS vulnerability analysis and mitigation

A vulnerability was found in GNU Binutils 2.43, specifically affecting the bfd_malloc function in the libbfd.c file of the ld component. The vulnerability was disclosed on February 10, 2025, and has been assigned CVE-2025-1150. The issue leads to a memory leak that can be triggered remotely, though the complexity of exploitation is considered high (NVD, Red Hat).

The vulnerability is classified as a memory leak with a CVSS v3.1 base score of 3.1 (LOW). The attack vector is Network-based, requiring high attack complexity and user interaction, with no privileges required. The scope is unchanged, with no impact on confidentiality or integrity, but low impact on availability. The vulnerability is associated with CWE-401 (Missing Release of Memory after Effective Lifetime) and CWE-404 (Improper Resource Shutdown or Release) (NVD, Red Hat).

The memory leak can lead to an application crash or other undefined behavior. When exploited, the vulnerability primarily affects system availability through resource consumption, potentially causing system instability or denial of service conditions (Red Hat).

The code maintainer has indicated that some leak fixes are being worked on but won't be committed to the 2.44 branch due to concerns about destabilizing ld. All reported leaks have been fixed in the binutils master branch, though a specific patch for version 2.43 is not immediately available (Sourceware Bugzilla).