Zero Day MonitorZDM

← Back to list

7.8

CVE-2026-6846

gnu · binutils

Binutils: binutils: arbitrary code execution via malformed xcoff object file processing

Description

A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.

Affected Products

Vendor	Product	Versions
gnu	binutils	—

References

https://access.redhat.com/security/cve/CVE-2026-6846(vdb-entry, x_refsource_REDHAT)
https://bugzilla.redhat.com/show_bug.cgi?id=2460006(issue-tracking, x_refsource_REDHAT)

Related News (3 articles)

Tier B

CERT-FR29d ago

Multiples vulnérabilités dans Microsoft Azure Linux (18 mai 2026)

→ No new info (linked only)

Tier A

Microsoft MSRC43d ago

CVE-2026-6846 Binutils: binutils: arbitrary code execution via malformed xcoff object file processing

→ No new info (linked only)

Tier C

VulDB54d ago

CVE-2026-6846 | GNU Binutils XCOFF heap-based overflow

→ No new info (linked only)

CVSS 3.17.8 NONE

CISA KEV❌ No

Actively exploited❌ No

CWECWE-122

PublishedApr 22, 2026

Last enriched54d agov2

Trending Score2

Source articles3

Independent3

Info Completeness7/14

Missing: versions, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

GNU gsasl Heap Disclosure in NTLM Client Step

CRITICALCVE-2026-5450

scanf %mc off-by-one heap buffer overflow

HIGHCVE-2026-48829

CVE-2026-48829: In GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known toke

NONECVE-2026-5958

Race Condition in GNU Sed

HIGHCVE-2026-40556

Insecure Directory Permissions in GNU nano Leading to Privilege Abuse

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 22, 2026

Discovered by ZDM

Apr 22, 2026

Updated: severity

Apr 22, 2026

Version History

v2

Last enriched 54d ago

v2Tier C54d ago

Updated vendor to GNU, product to GNU Binutils, severity to CRITICAL, and corrected exploit availability status.

severity

via VulDB

v154d ago

Initial creation