CVE-2025-1151: 
NixOS vulnerability analysis and mitigation

A vulnerability was found in GNU Binutils 2.43, identified as CVE-2025-1151, affecting the xmemdup function in the xmemdup.c file of the ld component. The vulnerability was disclosed on February 10, 2025, and is classified as a memory leak issue. The affected software is the GNU Binutils package, specifically version 2.43 and potentially earlier versions (NVD, Red Hat).

The vulnerability is characterized by a memory leak in the ld linker utility of GNU Binutils. The issue has been rated with a CVSS v3.1 base score of 3.1 (Low), with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L. The attack vector is network-based, requiring high attack complexity and user interaction, while only affecting availability with a low impact (Red Hat, Snyk).

The vulnerability can lead to memory leaks when processing specially-crafted payloads, potentially resulting in application crashes or other undefined behavior. The impact primarily affects system availability, with no direct impact on confidentiality or integrity. The exploitation is known to be difficult due to the high attack complexity (Red Hat).

The code maintainer has indicated that some leak fixes are being worked on but won't be committed to the 2.44 branch due to stability concerns. All reported leaks have been fixed in the binutils master branch. However, the upcoming 2.44 release will still contain many memory leaks. Users are advised to monitor for updates and apply patches when available (Sourceware Bugzilla).