Impact
A vulnerability was discovered in the LLVM project, affecting the function GCRelocateInst::getBasePtr in the Bitcode File Handler. The flaw causes a heap-based buffer overflow, which can lead to local code execution if an attacker supplies crafted bitcode. The weakness is an example of CWE‑119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE‑122 (Heap‑based Buffer Overflow).
Affected Systems
The affected product is LLVM’s llvm-project library, specifically the Bitcode File Handler module. Versions up to 22.1.6 are known to be vulnerable. The issue arises when processing .bc files as part of the LLVM compiler infrastructure.
Risk and Exploitability
The CVSS score of 4.8 indicates moderate risk. EPSS is not available, so real‑world exploitation likelihood is unclear. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is local: an attacker would need to provide malicious bitcode to a process that uses LLVM. Although the exploit has been publicly disclosed, no publicly available patch was released at the time of this analysis.
OpenCVE Enrichment