The bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29 and earlier, allows remote attackers to cause an out of bounds heap write and possibly achieve code execution via a crafted mach-o file.
Conclusion & alert: CVE-2017-12459 is rated Moderate Risk (58.2/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.89%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-21 | 1.82% | 1.89% | +0.07% |
| 2 | 2026-06-15 | 0.42% | 1.82% | +1.40% |
| 3 | 2026-04-07 | — | 0.42% | — |
Full EPSS history (16 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.8 | 3.0 | HIGH |
|
1.8 | 5.9 | [email protected] |
| 6.8 | 2.0 | MEDIUM |
|
8.6 | 6.4 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2017-12459 not yet assigned priority: Debian including 1 source packages (binutils), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2017-12459 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2017-12459 |
suse
|
medium | CVE-2017-12459 severity moderate: SUSE including 6 source package names (binutils, binutils-devel, binutils-devel-32bit, binutils-gold, libctf-nobfd0, libctf0), 57 product×package rows across 22 product lines (SUSE CaaS Platform 4.5, SUSE Enterprise Storage 7, … (22 product lines)): Known Not Affected 57. | https://www.suse.com/security/cve/CVE-2017-12459/ |
ubuntu
|
low | CVE-2017-12459 low priority: Ubuntu including 1 source packages (binutils), 21 status rows across 21 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial, zesty): not-affected 17, released 2, ignored 1, needed 1. | https://ubuntu.com/security/CVE-2017-12459 |
| URL | Tags |
|---|---|
| https://sourceware.org/bugzilla/show_bug.cgi?id=21840 | Issue Tracking Patch Third Party Advisory |