Intel

AIKIDO-2026-74974

symbolic-debuginfo is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

33

Low Risk

This Affects:

RUSTsymbolic-debuginfo
2.0.4 - 13.8.0
Fixed in 13.9.0
Are you affected? Scan for Free

TL;DR

The library parses debug information formats such as ELF and Breakpad from potentially untrusted files. When locating ELF sections it assumes section names begin with a . and slices section data using raw file offsets and sizes without bounds checks, so a malformed section name or an invalid offset/size can trigger a panic or out-of-bounds read. When parsing Breakpad objects it also follows inline records without any nesting-depth limit, so deeply nested inline data can cause excessive processing. The fix skips sections with unexpected names, uses bounds-checked slicing, and enforces a maximum inline nesting depth.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application parses untrusted or malformed ELF or Breakpad debug files with the library.

Background info

symbolic-debuginfo is vulnerable to Denial of Service (DoS) in versions 2.0.4 - 13.8.0.

How to fix this

Upgrade the symbolic-debuginfo library to the patch version.