CVE-2014-0172

Integer overflow in the check_section function in dwarf_begin_elf.c in the libdw library, as used in elfutils 0.153 and possibly through 0.158 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed compressed debug section in an ELF file, which triggers a heap-based buffer overflow.

Published: 2014-04-11 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2014-0172 is rated Moderate Risk (60.6/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 4.03%). EPSS rose +2.20% over the last day, indicating growing attacker interest. Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2014-0172

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 1.83% 4.03% +2.20%
2 2025-03-30 4.74% 1.83% -2.91%
3 2025-03-29 4.74%

Full EPSS history (7 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2014-0172

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.8 2.0 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 8.6 6.4 [email protected]

Weakness enumeration for CVE-2014-0172

OS Trackers for CVE-2014-0172

vendor priority summary link
debian low CVE-2014-0172 low priority: Debian including 1 source packages (elfutils), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2014-0172
gentoo normal CVE-2014-0172: 1 GLSA(s) (201612-32), 1 atom(s) (dev-libs/elfutils); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2014-0172
redhat medium https://access.redhat.com/security/cve/CVE-2014-0172
suse medium CVE-2014-0172 severity moderate: SUSE including 108 source package names (elfutils, elfutils-0.158-3.200, …), 346 product×package rows across 41 product lines (HPE Helion OpenStack 8, SUSE Linux Enterprise Desktop 12, … (41 product lines)): Fixed 211, Known Not Affected 135. https://www.suse.com/security/cve/CVE-2014-0172/
ubuntu medium CVE-2014-0172 medium priority: Ubuntu including 1 source packages (elfutils), 6 status rows across 6 suites (lucid, precise, quantal, saucy, trusty, upstream): released 3, not-affected 2, needs-triage 1. https://ubuntu.com/security/CVE-2014-0172

Affected software / configurations for CVE-2014-0172

Vendor Product Version Raw CPE
elfutils_project elfutils 0.153 cpe:2.3:a:elfutils_project:elfutils:0.153:*:*:*:*:*:*:*
elfutils_project elfutils 0.154 cpe:2.3:a:elfutils_project:elfutils:0.154:*:*:*:*:*:*:*
elfutils_project elfutils 0.155 cpe:2.3:a:elfutils_project:elfutils:0.155:*:*:*:*:*:*:*
elfutils_project elfutils 0.156 cpe:2.3:a:elfutils_project:elfutils:0.156:*:*:*:*:*:*:*
elfutils_project elfutils 0.157 cpe:2.3:a:elfutils_project:elfutils:0.157:*:*:*:*:*:*:*
elfutils_project elfutils 0.158 cpe:2.3:a:elfutils_project:elfutils:0.158:*:*:*:*:*:*:*

References for CVE-2014-0172

cvelogic Threat Intelligence