📖 ~4 min read • Source: Rocky Linux RXSA RLSA-2026:0108
Related CVEs: CVE-2025-11083
Upstream summary: Binutils is a collection of binary utilities, including ar (for creating, modifying and extracting from archives), as (a family of GNU assemblers), gprof (for displaying call graph profile data), ld (the GNU linker), nm (for listing symbols from object files), objcopy (for copying and translating object files), objdump (for displaying information from object files), ranlib (for generating an index for the contents of an archive), readelf (for displaying detailed information a
Table of contents
Symptom & Impact
On Rocky Linux 10 hosts that have gcc-toolset-15-binutils installed, operators report behaviour consistent with Rocky Linux RXSA RLSA-2026:0108: dnf refuses to install or restart affected services, SELinux AVC denials appear in /var/log/audit/audit.log, and — for security-rated advisories — the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever gcc-toolset-15-binutils sits on the serving path.
Environment & Reproduction
Reproduction targets Rocky Linux 10. Confirm release and the installed package:
cat /etc/rocky-release
cat /etc/os-release
rpm -q gcc-toolset-15-binutils
dnf info gcc-toolset-15-binutils | head -20Trigger the workflow that exposes gcc-toolset-15-binutils — vulnerability — patch and remediation guide while collecting:
sudo journalctl -u gcc-toolset-15-binutils -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/dnf.log
sudo tail -200 /var/log/audit/audit.log
# For an evidence bundle bundle with sosreport:
sudo sosreport --batchRoot Cause Analysis
Root cause is documented in Rocky Linux RXSA RLSA-2026:0108. Rocky Linux / Red Hat maintainers shipped fixes in the corresponding gcc-toolset-15-binutils update for Rocky Linux 10; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate dnf history with system logs:
sudo dnf history | head
sudo dnf history list gcc-toolset-15-binutils
sudo dnf history info <id>
sudo ausearch -m AVC,USER_AVC -ts today | tail -100
cat /proc/sys/kernel/tainted # non-zero = tainted kernel / out-of-tree modulesQuick Triage
Run these on Rocky Linux 10 to capture the current state of gcc-toolset-15-binutils:
rpm -q gcc-toolset-15-binutils # installed NVR
rpm -V gcc-toolset-15-binutils # verify shipped files
sudo dnf check-update --security
sudo dnf updateinfo list cves
systemctl --failed --no-pager
sudo firewall-cmd --list-all
getenforce && sestatus
# If gcc-toolset-15-binutils ships a systemd unit (unit name may differ from pkg name, e.g.
# bind→named, postgresql-server→postgresql, php-fpm→php-fpm):
systemctl list-unit-files | grep -i gcc | headStep-by-Step Diagnosis
-
List failed systemd units.
systemctl --failed --no-pager -
Tail the journal for
gcc-toolset-15-binutilsand the system bus.sudo journalctl -u gcc-toolset-15-binutils -f --no-pager sudo journalctl -xe -f --no-pager -
Inspect firewall posture.
sudo firewall-cmd --list-all-zones --permanent sudo nft list ruleset 2>/dev/null | head -50 -
Surface SELinux denials and author a local policy module if needed.
sudo ausearch -m AVC,USER_AVC -ts today sudo ausearch -m AVC -ts today | audit2allow -a -M /tmp/local-fix sudo semodule -i /tmp/local-fix.pp -
Verify
gcc-toolset-15-binutilsintegrity and reinstall if anything is altered.sudo rpm -V gcc-toolset-15-binutils sudo dnf reinstall gcc-toolset-15-binutils -
Correlate findings with
/var/log/dnf.log,dnf history, and Rocky Linux RXSA RLSA-2026:0108 to pin the change that introduced gcc-toolset-15-binutils — vulnerability — patch and remediation guide.
Solution – Primary Fix
Apply the corrective dnf transaction referenced by Rocky Linux RXSA RLSA-2026:0108, then reload affected systemd units:
sudo dnf -y makecache
sudo dnf -y upgrade --security # apply ALL security errata (recommended)
# Or target a single package:
sudo dnf -y upgrade gcc-toolset-15-binutils
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i gcc | head
sudo systemctl restart gcc-toolset-15-binutils
rpm -q gcc-toolset-15-binutils # confirm new NVR
systemctl is-active gcc-toolset-15-binutils 2>/dev/null # confirm running (if a unit exists)For kernel / glibc / systemd / openssl advisories a reboot is required (or kpatch where licensed):
sudo needs-restarting -r # report whether reboot needed
sudo systemctl reboot # or: sudo shutdown -r now
# kpatch (Red Hat / Oracle) avoids reboot for many kernel CVEs:
sudo dnf install -y kpatch kpatch-dnf
sudo dnf kpatch auto # enable auto-patching
sudo kpatch listNeed help rolling this patch across a Rocky Linux fleet? Our IT Solutions & Services team manages Rocky / RHEL patch windows with Pulp / Foreman / Spacewalk plus kpatch. Get in touch for a free consultation.
Solution – Alternative Approaches
If the primary patch is not viable, choose from these:
-
Roll back the offending dnf transaction:
sudo dnf history list | head sudo dnf history info <id> sudo dnf history undo <id> -
Version-lock the package so dnf cannot upgrade it:
sudo dnf install -y python3-dnf-plugin-versionlock sudo dnf versionlock add gcc-toolset-15-binutils sudo dnf versionlock list sudo dnf versionlock delete gcc-toolset-15-binutils # remove the lock -
Install an older NVR if a regression is suspected:
dnf --showduplicates list gcc-toolset-15-binutils | tac | head sudo dnf install -y --allowerasing gcc-toolset-15-binutils-<older-NVR> -
Switch SELinux to permissive briefly to confirm policy is the cause, then re-enforce:
sudo setenforce 0 # reproduce, capture denials, author a custom module: sudo ausearch -m AVC -ts recent | audit2allow -a -M mylocal sudo semodule -i mylocal.pp sudo setenforce 1 -
Take an LVM snapshot before kernel / glibc upgrades for fast rollback:
sudo lvs sudo lvcreate -s -n preupgrade -L 4G /dev/<vg>/<lv> # revert later via: sudo lvconvert --merge /dev/<vg>/preupgrade && sudo systemctl reboot -
Where kpatch is licensed, apply kernel fixes without reboot:
sudo kpatch list sudo kpatch load /usr/lib/modules/$(uname -r)/extra/kpatch/*.ko
Verification & Acceptance Criteria
All of these should pass after the fix:
rpm -q gcc-toolset-15-binutils # expected fixed NVR
sudo dnf updateinfo list cves --installed # CVEs above no longer listed
systemctl is-active gcc-toolset-15-binutils 2>/dev/null
sudo journalctl -u gcc-toolset-15-binutils --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
getenforce
sudo needs-restarting -rThe original reproduction for gcc-toolset-15-binutils — vulnerability — patch and remediation guide must not trigger across two consecutive runs.
Rollback Plan
Capture state before any change:
rpm -qa > /root/rpm-pre.txt
sudo dnf history list > /root/dnf-history-pre.txt
# Optional LVM snapshot of the root LV:
sudo lvcreate -s -n preupgrade -L 4G /dev/<vg>/<lv>To revert if the patch is bad:
sudo dnf history undo <id>
# Or downgrade just the package:
sudo dnf install -y --allowerasing gcc-toolset-15-binutils-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart gcc-toolset-15-binutils
# Or merge the LVM snapshot and reboot:
sudo lvconvert --merge /dev/<vg>/preupgrade && sudo systemctl reboot
# Custom SELinux policy cleanup:
sudo semodule -r mylocalPrevention & Hardening
Reduce the chance of this recurring on Rocky Linux 10:
-
Enable automatic security patching:
sudo dnf install -y dnf-automatic sudo sed -i 's/^upgrade_type.*/upgrade_type = security/' /etc/dnf/automatic.conf sudo sed -i 's/^apply_updates.*/apply_updates = yes/' /etc/dnf/automatic.conf sudo systemctl enable --now dnf-automatic.timer -
Subscribe to rocky-announce and watch Red Hat security updates for upstream changes.
-
Mirror through a local Pulp / Foreman / Spacewalk-style repo for controlled rollouts:
sudo dnf install -y dnf-utils createrepo_c sudo reposync --download-metadata --downloadcomps -p /srv/mirror -- repoid=baseos sudo createrepo_c /srv/mirror/baseos -
Version-lock sensitive packages so they cannot be auto-upgraded:
sudo dnf install -y python3-dnf-plugin-versionlock sudo dnf versionlock add gcc-toolset-15-binutils -
Monitor file integrity with AIDE:
sudo dnf install -y aide sudo aide --init && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz sudo aide --check -
Enable kpatch so kernel CVEs can be remediated without reboot:
sudo dnf install -y kpatch kpatch-dnf sudo dnf kpatch auto sudo kpatch list -
Keep SELinux in enforcing mode and review custom modules in
/etc/selinux/targeted/after every package upgrade. -
Apply CIS Rocky Linux 10 Benchmark hardening and remove unused packages.
Related Errors & Cross-Refs
Issues that commonly surface alongside gcc-toolset-15-binutils — vulnerability — patch and remediation guide: dnf lock contention, systemd unit ordering cycles, SELinux AVC bursts, firewalld zone drift, and kernel taint flags. Useful triage:
sudo dnf check
systemd-analyze critical-chain
sudo ausearch -m AVC -ts today | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/tainted
sudo needs-restarting -rView all rocky-linux-10 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: Rocky Linux RXSA RLSA-2026:0108. Manual pages useful on Rocky Linux 10:
man dnf
man dnf.conf
man systemctl
man journalctl
man firewall-cmd
man semanage
man audit2allow
man kpatch
man sosreportOther resources: docs.rockylinux.org, Red Hat CVE database, Rocky Linux errata, and per-package notes in /usr/share/doc/gcc-toolset-15-binutils/ for components implicated in gcc-toolset-15-binutils — vulnerability — patch and remediation guide.
