CVE-2018-19931

Name: CVE-2018-19931
Creator: NVD / NIST
Published: 2018-12-07T07:29:00.253+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.8/10EPSS 1.47%

Last modified Jun 17, 2026

CVE-2018-19931 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted.. EPSS estimates a 1.47% chance of exploitation in the next 30 days.

Description

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils through 2.31. There is a heap-based buffer overflow in bfd_elf32_swap_phdr_in in elfcode.h because the number of program headers is not restricted.

Metrics

CVSS 3.1

7.8/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

1.47%

70.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-787

Affected Software

Vendor	Product	Versions
Gnu	Binutils	<= 2.31
Netapp	Vasa Provider	>= 7.2
Canonical	Ubuntu Linux	18.04

References

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.htmlBroken Link
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.htmlBroken Link
http://www.securityfocus.com/bid/106144Broken Link, Third Party Advisory, VDB Entry
https://security.gentoo.org/glsa/201908-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20190221-0004/Patch, Third Party Advisory
https://sourceware.org/bugzilla/show_bug.cgi?id=23942Issue Tracking, Patch, Third Party Advisory
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=5f60af5d24d181371d67534fa273dd221df20c07
https://usn.ubuntu.com/4336-1/Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.htmlBroken Link
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.htmlBroken Link
http://www.securityfocus.com/bid/106144Broken Link, Third Party Advisory, VDB Entry
https://security.gentoo.org/glsa/201908-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20190221-0004/Patch, Third Party Advisory
https://sourceware.org/bugzilla/show_bug.cgi?id=23942Issue Tracking, Patch, Third Party Advisory
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=5f60af5d24d181371d67534fa273dd221df20c07
https://usn.ubuntu.com/4336-1/Third Party Advisory

Timeline

Published: Dec 7, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-19931?

How severe is CVE-2018-19931?

CVE-2018-19931 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 1.47% probability of exploitation in the next 30 days.

How do I fix CVE-2018-19931?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-19931?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST