Rizin is a reverse engineering framework forked from radare2, a flaw was discovered in its ELF parser code that would allow for a crafted file to perform a denial of service. This would prevent a user from being able to load the file into rizin but still hold no impact on the execution of the file itself.

Your average ELF file relies on dynamic linking/loading and thus has extensive information embedded into the file. One bit of information that can be found is the DT_VERNEEDNUM entry found in the .dynamic section, this field specifies the number of entries in the symbol version dependancy table. Therefore, this value is to be used when parsing each version dependancy but the table was designed such that on the last verneed entry the vn_next field will equal 0. However, instead of looping through each entry until it detects the very end, rizin loops over the table entries using the value retrieved from the DT_VERNEEDNUM entry. This creates situations where the DT_VERNEEDNUM value could be forged to something very large such as 0xFFFFFFFFFFFFFFFF causing the ELF parser to continually spin on the last entry thinking it had more entries to iterate over by calculating the offset of the next entry with the now null vn_next field. Even though this impacts the rizin elf parser, it will not have any impact on the execution of the binary since the linux loader will detect it has reached the end of the table with a false DT_VERNEEDNUM. This provides a simple solution by just detecting when vn_next is null then breaking out of the loop.

The bug can be found in versions prior to v0.5.0 and was patched in commit 4564986ef29f8872a95733416ce0a860ac2aa7e5 with impacted file and function as librz/bin/format/elf/elf_info.c:get_gnu_verneed(ELFOBJ *bin).

https://github.com/rizinorg/rizin/pull/3214
https://github.com/rizinorg/rizin/pull/3214/commits/4564986ef29f8872a95733416ce0a860ac2aa7e5