{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/cloudlinux7els/vex/2026/cve-2026-4647-els_os-cloudlinux7els.json" } ], "tracking": { "current_release_date": "2026-04-10T19:39:00Z", "generator": { "date": "2026-04-10T19:39:04Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2026-4647-ELS_OS-CLOUDLINUX7ELS", "initial_release_date": "2026-03-23T14:16:00Z", "revision_history": [ { "date": "2026-03-23T14:16:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-10T19:39:00Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Security update on CVE-2026-4647" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "libquadmath-0:4.8.5-44.0.3.el7.x86_64", "product": { "name": "libquadmath-0:4.8.5-44.0.3.el7.x86_64", "product_id": "libquadmath-0:4.8.5-44.0.3.el7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/libquadmath@4.8.5-44.0.3.el7?arch=x86_64" } } }, { "category": "product_version", "name": "binutils-devel-0:2.27-44.base.el7_9.1.x86_64", "product": { "name": "binutils-devel-0:2.27-44.base.el7_9.1.x86_64", "product_id": "binutils-devel-0:2.27-44.base.el7_9.1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/binutils-devel@2.27-44.base.el7_9.1?arch=x86_64" } } }, { "category": "product_version", "name": "binutils-0:2.27-44.base.el7_9.1.x86_64", "product": { "name": "binutils-0:2.27-44.base.el7_9.1.x86_64", "product_id": "binutils-0:2.27-44.base.el7_9.1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/binutils@2.27-44.base.el7_9.1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libquadmath-0:4.8.5-44.0.3.el7.i686", "product": { "name": "libquadmath-0:4.8.5-44.0.3.el7.i686", "product_id": "libquadmath-0:4.8.5-44.0.3.el7.i686", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/libquadmath@4.8.5-44.0.3.el7?arch=i686" } } }, { "category": "product_version", "name": "binutils-devel-0:2.27-44.base.el7_9.1.i686", "product": { "name": "binutils-devel-0:2.27-44.base.el7_9.1.i686", "product_id": "binutils-devel-0:2.27-44.base.el7_9.1.i686", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/binutils-devel@2.27-44.base.el7_9.1?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_name", "name": "CloudLinux 7", "product": { "name": "CloudLinux 7", "product_id": "CloudLinux-7", "product_identification_helper": { "cpe": "cpe:2.3:o:cloudlinux:cloudlinux:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "CloudLinux" } ], "category": "vendor", "name": "Cloud Linux Software, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.x86_64", "product": { "name": "libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.x86_64", "product_id": "libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libquadmath@4.8.5-44.0.3.el7.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.i686", "product": { "name": "libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.i686", "product_id": "libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libquadmath@4.8.5-44.0.3.el7.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "product": { "name": "binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "product_id": "binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/binutils-devel@2.27-44.base.el7_9.1.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "binutils-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "product": { "name": "binutils-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "product_id": "binutils-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/binutils@2.27-44.base.el7_9.1.tuxcare.els2?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.i686", "product": { "name": "binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.i686", "product_id": "binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/binutils-devel@2.27-44.base.el7_9.1.tuxcare.els2?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.x86_64" }, "product_reference": "libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libquadmath-0:4.8.5-44.0.3.el7.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.x86_64" }, "product_reference": "libquadmath-0:4.8.5-44.0.3.el7.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.i686 as a component of CloudLinux 7", "product_id": "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.i686" }, "product_reference": "libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.i686", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "libquadmath-0:4.8.5-44.0.3.el7.i686 as a component of CloudLinux 7", "product_id": "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.i686" }, "product_reference": "libquadmath-0:4.8.5-44.0.3.el7.i686", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64" }, "product_reference": "binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-devel-0:2.27-44.base.el7_9.1.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.x86_64" }, "product_reference": "binutils-devel-0:2.27-44.base.el7_9.1.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.i686 as a component of CloudLinux 7", "product_id": "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.i686" }, "product_reference": "binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.i686", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-devel-0:2.27-44.base.el7_9.1.i686 as a component of CloudLinux 7", "product_id": "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.i686" }, "product_reference": "binutils-devel-0:2.27-44.base.el7_9.1.i686", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:binutils-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64" }, "product_reference": "binutils-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "binutils-0:2.27-44.base.el7_9.1.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:binutils-0:2.27-44.base.el7_9.1.x86_64" }, "product_reference": "binutils-0:2.27-44.base.el7_9.1.x86_64", "relates_to_product_reference": "CloudLinux-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-4647", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "CloudLinux-7:binutils-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "CloudLinux-7:binutils-0:2.27-44.base.el7_9.1.x86_64", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.i686", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.i686", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.x86_64", "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.i686", "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.i686", "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.x86_64", "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-4647" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2026-4647", "url": "https://access.redhat.com/security/cve/CVE-2026-4647" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2450302", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450302" }, { "category": "external", "summary": "https://sourceware.org/bugzilla/show_bug.cgi?id=33919", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33919" } ], "release_date": "2026-03-23T14:16:00Z", "remediations": [ { "category": "no_fix_planned", "details": "- Exploitation is local-only and requires a user to deliberately run a binutils tool (e.g., objdump or nm) on a crafted XCOFF object, which are manual, non-network-facing utilities in server/VM environments. \n- The vulnerability yields denial-of-service or, at most, limited memory disclosure confined to the tool’s process, with no integrity impact or code execution. \n- Because XCOFF is the AIX object format and BFD parses it only when explicitly invoked on such files, routine enterprise workloads are unlikely to encounter untrusted XCOFF inputs, so this issue can be safely deprioritized.", "product_ids": [ "CloudLinux-7:binutils-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "CloudLinux-7:binutils-0:2.27-44.base.el7_9.1.x86_64", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.i686", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.i686", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.x86_64", "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.i686", "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.i686", "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.x86_64", "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.x86_64" ] }, { "category": "no_fix_planned", "details": "This issue is only reachable when a user deliberately runs a BFD-based utility (e.g., objdump/objcopy) on a crafted XCOFF file; Linux toolchains use ELF by default, so XCOFF parsing is invoked only when explicitly analyzing AIX/POWER binaries. The vulnerability is local with required user interaction and yields at most a crash or limited disclosure from the affected tool’s own memory, with no integrity impact or privilege escalation. In enterprise server/VM contexts where these developer utilities are not network‑facing and untrusted XCOFF inputs are uncommon, it represents low operational risk and can be safely deprioritized.", "product_ids": [ "CloudLinux-7:binutils-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "CloudLinux-7:binutils-0:2.27-44.base.el7_9.1.x86_64", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.i686", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.i686", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1" }, "products": [ "CloudLinux-7:binutils-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "CloudLinux-7:binutils-0:2.27-44.base.el7_9.1.x86_64", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.i686", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.i686", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.tuxcare.els2.x86_64", "CloudLinux-7:binutils-devel-0:2.27-44.base.el7_9.1.x86_64", "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.i686", "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.i686", "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.tuxcare.els1.x86_64", "CloudLinux-7:libquadmath-0:4.8.5-44.0.3.el7.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }