{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos-stream8els/vex/2026/cve-2026-4647-els_os-centos-stream8els.json" } ], "tracking": { "current_release_date": "2026-04-08T13:15:27Z", "generator": { "date": "2026-04-08T13:15:27Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2026-4647-ELS_OS-CENTOS-STREAM8ELS", "initial_release_date": "2026-03-23T14:16:00Z", "revision_history": [ { "date": "2026-03-23T14:16:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-08T12:32:35Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-04-08T13:15:27Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2026-4647" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "binutils-devel-0:2.30-123.el8.x86_64", "product": { "name": "binutils-devel-0:2.30-123.el8.x86_64", "product_id": "binutils-devel-0:2.30-123.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/binutils-devel@2.30-123.el8?arch=x86_64" } } }, { "category": "product_version", "name": "binutils-0:2.30-123.el8.x86_64", "product": { "name": "binutils-0:2.30-123.el8.x86_64", "product_id": "binutils-0:2.30-123.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/binutils@2.30-123.el8?arch=x86_64" } } }, { "category": "product_version", "name": "gcc-gfortran-0:8.5.0-22.el8.x86_64", "product": { "name": "gcc-gfortran-0:8.5.0-22.el8.x86_64", "product_id": "gcc-gfortran-0:8.5.0-22.el8.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/gcc-gfortran@8.5.0-22.el8?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "binutils-devel-0:2.30-123.el8.i686", "product": { "name": "binutils-devel-0:2.30-123.el8.i686", "product_id": "binutils-devel-0:2.30-123.el8.i686", "product_identification_helper": { "purl": "pkg:rpm/centos/binutils-devel@2.30-123.el8?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 8", "product": { "name": "Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:8:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "binutils-devel-0:2.30-123.el8.tuxcare.els1.x86_64", "product": { "name": "binutils-devel-0:2.30-123.el8.tuxcare.els1.x86_64", "product_id": "binutils-devel-0:2.30-123.el8.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/binutils-devel@2.30-123.el8.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "binutils-devel-0:2.30-123.el8.tuxcare.els3.x86_64", "product": { "name": "binutils-devel-0:2.30-123.el8.tuxcare.els3.x86_64", "product_id": "binutils-devel-0:2.30-123.el8.tuxcare.els3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/binutils-devel@2.30-123.el8.tuxcare.els3?arch=x86_64" } } }, { "category": "product_version", "name": "binutils-devel-0:2.30-123.el8.tuxcare.els2.x86_64", "product": { "name": "binutils-devel-0:2.30-123.el8.tuxcare.els2.x86_64", "product_id": "binutils-devel-0:2.30-123.el8.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/binutils-devel@2.30-123.el8.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "binutils-0:2.30-123.el8.tuxcare.els2.x86_64", "product": { "name": "binutils-0:2.30-123.el8.tuxcare.els2.x86_64", "product_id": "binutils-0:2.30-123.el8.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/binutils@2.30-123.el8.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "binutils-0:2.30-123.el8.tuxcare.els3.x86_64", "product": { "name": "binutils-0:2.30-123.el8.tuxcare.els3.x86_64", "product_id": "binutils-0:2.30-123.el8.tuxcare.els3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/binutils@2.30-123.el8.tuxcare.els3?arch=x86_64" } } }, { "category": "product_version", "name": "binutils-0:2.30-123.el8.tuxcare.els1.x86_64", "product": { "name": "binutils-0:2.30-123.el8.tuxcare.els1.x86_64", "product_id": "binutils-0:2.30-123.el8.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/binutils@2.30-123.el8.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "gcc-gfortran-0:8.5.0-22.el8.tuxcare.els1.x86_64", "product": { "name": "gcc-gfortran-0:8.5.0-22.el8.tuxcare.els1.x86_64", "product_id": "gcc-gfortran-0:8.5.0-22.el8.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/gcc-gfortran@8.5.0-22.el8.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "binutils-devel-0:2.30-123.el8.tuxcare.els1.i686", "product": { "name": "binutils-devel-0:2.30-123.el8.tuxcare.els1.i686", "product_id": "binutils-devel-0:2.30-123.el8.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/binutils-devel@2.30-123.el8.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "binutils-devel-0:2.30-123.el8.tuxcare.els3.i686", "product": { "name": "binutils-devel-0:2.30-123.el8.tuxcare.els3.i686", "product_id": "binutils-devel-0:2.30-123.el8.tuxcare.els3.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/binutils-devel@2.30-123.el8.tuxcare.els3?arch=i686" } } }, { "category": "product_version", "name": "binutils-devel-0:2.30-123.el8.tuxcare.els2.i686", "product": { "name": "binutils-devel-0:2.30-123.el8.tuxcare.els2.i686", "product_id": "binutils-devel-0:2.30-123.el8.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/binutils-devel@2.30-123.el8.tuxcare.els2?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "binutils-devel-0:2.30-123.el8.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els1.x86_64" }, "product_reference": "binutils-devel-0:2.30-123.el8.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-devel-0:2.30-123.el8.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.x86_64" }, "product_reference": "binutils-devel-0:2.30-123.el8.x86_64", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-devel-0:2.30-123.el8.tuxcare.els1.i686 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els1.i686" }, "product_reference": "binutils-devel-0:2.30-123.el8.tuxcare.els1.i686", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-devel-0:2.30-123.el8.i686 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.i686" }, "product_reference": "binutils-devel-0:2.30-123.el8.i686", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-devel-0:2.30-123.el8.tuxcare.els3.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els3.x86_64" }, "product_reference": "binutils-devel-0:2.30-123.el8.tuxcare.els3.x86_64", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-devel-0:2.30-123.el8.tuxcare.els3.i686 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els3.i686" }, "product_reference": "binutils-devel-0:2.30-123.el8.tuxcare.els3.i686", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-devel-0:2.30-123.el8.tuxcare.els2.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els2.x86_64" }, "product_reference": "binutils-devel-0:2.30-123.el8.tuxcare.els2.x86_64", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-devel-0:2.30-123.el8.tuxcare.els2.i686 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els2.i686" }, "product_reference": "binutils-devel-0:2.30-123.el8.tuxcare.els2.i686", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-0:2.30-123.el8.tuxcare.els2.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els2.x86_64" }, "product_reference": "binutils-0:2.30-123.el8.tuxcare.els2.x86_64", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-0:2.30-123.el8.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:binutils-0:2.30-123.el8.x86_64" }, "product_reference": "binutils-0:2.30-123.el8.x86_64", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-0:2.30-123.el8.tuxcare.els3.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els3.x86_64" }, "product_reference": "binutils-0:2.30-123.el8.tuxcare.els3.x86_64", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-0:2.30-123.el8.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els1.x86_64" }, "product_reference": "binutils-0:2.30-123.el8.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "gcc-gfortran-0:8.5.0-22.el8.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:gcc-gfortran-0:8.5.0-22.el8.tuxcare.els1.x86_64" }, "product_reference": "gcc-gfortran-0:8.5.0-22.el8.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-Stream-8" }, { "category": "default_component_of", "full_product_name": { "name": "gcc-gfortran-0:8.5.0-22.el8.x86_64 as a component of Community Enterprise Operating System 8", "product_id": "CentOS-Stream-8:gcc-gfortran-0:8.5.0-22.el8.x86_64" }, "product_reference": "gcc-gfortran-0:8.5.0-22.el8.x86_64", "relates_to_product_reference": "CentOS-Stream-8" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-4647", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els2.x86_64", "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els3.x86_64", "CentOS-Stream-8:binutils-0:2.30-123.el8.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els1.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els2.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els2.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els3.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els3.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.x86_64", "CentOS-Stream-8:gcc-gfortran-0:8.5.0-22.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:gcc-gfortran-0:8.5.0-22.el8.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-4647" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2026-4647", "url": "https://access.redhat.com/security/cve/CVE-2026-4647" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2450302", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450302" }, { "category": "external", "summary": "https://sourceware.org/bugzilla/show_bug.cgi?id=33919", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33919" } ], "release_date": "2026-03-23T14:16:00Z", "remediations": [ { "category": "no_fix_planned", "details": "This issue is only reachable when a user deliberately runs a BFD-based utility (e.g., objdump/objcopy) on a crafted XCOFF file; Linux toolchains use ELF by default, so XCOFF parsing is invoked only when explicitly analyzing AIX/POWER binaries. The vulnerability is local with required user interaction and yields at most a crash or limited disclosure from the affected tool’s own memory, with no integrity impact or privilege escalation. In enterprise server/VM contexts where these developer utilities are not network‑facing and untrusted XCOFF inputs are uncommon, it represents low operational risk and can be safely deprioritized.", "product_ids": [ "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els2.x86_64", "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els3.x86_64", "CentOS-Stream-8:binutils-0:2.30-123.el8.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els1.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els2.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els2.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els3.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els3.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.x86_64", "CentOS-Stream-8:gcc-gfortran-0:8.5.0-22.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:gcc-gfortran-0:8.5.0-22.el8.x86_64" ] }, { "category": "no_fix_planned", "details": "Deprioritize: exploitation requires a local user to manually run binutils tooling on a crafted XCOFF object, an IBM AIX–specific format that is not used by default in Linux toolchains. The flaw is an out‑of‑bounds read leading to a crash or disclosure confined to the tool’s own process memory—no integrity impact, no privilege escalation, and scope unchanged. Because binutils utilities are non‑daemon, non‑network‑facing developer tools and XCOFF inputs appear only when explicitly handled, this presents minimal risk to typical enterprise VM/server workloads.", "product_ids": [ "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els2.x86_64", "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els3.x86_64", "CentOS-Stream-8:binutils-0:2.30-123.el8.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els1.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els2.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els2.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els3.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els3.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.x86_64", "CentOS-Stream-8:gcc-gfortran-0:8.5.0-22.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:gcc-gfortran-0:8.5.0-22.el8.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els2.x86_64", "CentOS-Stream-8:binutils-0:2.30-123.el8.tuxcare.els3.x86_64", "CentOS-Stream-8:binutils-0:2.30-123.el8.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els1.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els2.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els2.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els3.i686", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.tuxcare.els3.x86_64", "CentOS-Stream-8:binutils-devel-0:2.30-123.el8.x86_64", "CentOS-Stream-8:gcc-gfortran-0:8.5.0-22.el8.tuxcare.els1.x86_64", "CentOS-Stream-8:gcc-gfortran-0:8.5.0-22.el8.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }