CVE-2025-1152: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in GNU Binutils 2.43, specifically affecting the xstrdup function in the ld linker utility's xstrdup.c file. The vulnerability was disclosed on February 10, 2025, and is classified as a memory leak issue. The flaw allows remote exploitation, though with high attack complexity (NVD, Red Hat).

The vulnerability manifests as a memory leak in the xstrdup function of the ld linker utility. When processing specially-crafted input, the application fails to properly release allocated memory, leading to resource consumption. The vulnerability has received a CVSS v3.1 base score of 3.1 (LOW), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L. The issue has been classified under CWE-401 (Missing Release of Memory after Effective Lifetime) and CWE-404 (Improper Resource Shutdown or Release) (NVD).

The memory leak can lead to application crashes or other undefined behavior when exploited. The primary impact is on system availability, with no direct effect on confidentiality or integrity. The vulnerability results in gradual resource consumption, potentially affecting system performance over time (Red Hat).

While patches are being developed, the code maintainer has indicated that some leak fixes will not be included in the upcoming 2.44 release due to concerns about destabilizing the ld utility. The maintainer states: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master" (Sourceware Bugzilla).