Cloud Foundry Logo
blog single gear
Security Advisory

USN-6544-1: GNU binutils vulnerabilities

USN-6544-1: GNU binutils vulnerabilities




Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 22.04


It was discovered that GNU binutils incorrectly handled certain COFF files. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2022-38533) It was discovered that GNU binutils was not properly performing bounds checks in several functions, which could lead to a buffer overflow. An attacker could possibly use this issue to cause a denial of service, expose sensitive information or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-4285, CVE-2020-19726, CVE-2021-46174) It was discovered that GNU binutils contained a reachable assertion, which could lead to an intentional assertion failure when processing certain crafted DWARF files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-35205) Update Instructions: Run `sudo pro fix USN-6544-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: binutils-dev – 2.34-6ubuntu1.7 binutils-arm-linux-gnueabihf – 2.34-6ubuntu1.7 binutils-hppa64-linux-gnu – 2.34-6ubuntu1.7 binutils-ia64-linux-gnu – 2.34-6ubuntu1.7 binutils-multiarch – 2.34-6ubuntu1.7 binutils-x86-64-kfreebsd-gnu – 2.34-6ubuntu1.7 binutils-riscv64-linux-gnu – 2.34-6ubuntu1.7 binutils-m68k-linux-gnu – 2.34-6ubuntu1.7 binutils-for-build – 2.34-6ubuntu1.7 binutils-s390x-linux-gnu – 2.34-6ubuntu1.7 binutils-x86-64-linux-gnu – 2.34-6ubuntu1.7 binutils-multiarch-dev – 2.34-6ubuntu1.7 binutils-i686-gnu – 2.34-6ubuntu1.7 libctf-nobfd0 – 2.34-6ubuntu1.7 binutils-for-host – 2.34-6ubuntu1.7 binutils-doc – 2.34-6ubuntu1.7 binutils-sh4-linux-gnu – 2.34-6ubuntu1.7 binutils-aarch64-linux-gnu – 2.34-6ubuntu1.7 libctf0 – 2.34-6ubuntu1.7 binutils-source – 2.34-6ubuntu1.7 binutils-i686-linux-gnu – 2.34-6ubuntu1.7 binutils-common – 2.34-6ubuntu1.7 binutils-x86-64-linux-gnux32 – 2.34-6ubuntu1.7 binutils-i686-kfreebsd-gnu – 2.34-6ubuntu1.7 binutils-powerpc64le-linux-gnu – 2.34-6ubuntu1.7 binutils-powerpc64-linux-gnu – 2.34-6ubuntu1.7 binutils-hppa-linux-gnu – 2.34-6ubuntu1.7 binutils-sparc64-linux-gnu – 2.34-6ubuntu1.7 libbinutils – 2.34-6ubuntu1.7 binutils-arm-linux-gnueabi – 2.34-6ubuntu1.7 binutils-alpha-linux-gnu – 2.34-6ubuntu1.7 binutils-powerpc-linux-gnu – 2.34-6ubuntu1.7 binutils – 2.34-6ubuntu1.7 No subscription required

CVEs contained in this USN include: CVE-2022-38533, CVE-2020-19726, CVE-2021-46174, CVE-2022-35205, CVE-2022-4285.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

  • cflinuxfs4
    • All versions prior to 1.59.0
  • Jammy Stemcells
    • 1.x versions prior to 1.327
    • All other stemcells not listed.
  • CF Deployment
    • All versions with Jammy Stemcells prior to 1.327


Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

  • cflinuxfs4
    • Upgrade all versions to 1.59.0 or greater
  • Jammy Stemcells
    • Upgrade 1.x versions to 1.327 or greater
    • All other stemcells should be upgraded to the latest version available on
  • CF Deployment
    • For all versions, upgrade Jammy Stemcells to 1.327 or greater


2024-04-04: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR