@@ -43,4 +43,5 @@ SRC_URI = "\
file://CVE-2025-11412.patch \
file://CVE-2025-11413.patch \
file://CVE-2025-11495.patch \
+ file://CVE-2025-11494.patch \
"
new file mode 100644
@@ -0,0 +1,49 @@
+From b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Tue, 30 Sep 2025 08:13:56 +0800
+Subject: [PATCH] x86: Keep _GLOBAL_OFFSET_TABLE_ for .eh_frame
+
+Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep
+_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output
+.eh_frame section is non-empty.
+
+ PR ld/33499
+ * elfxx-x86.c (_bfd_x86_elf_late_size_sections): Keep
+ _GLOBAL_OFFSET_TABLE_ if there is dynamic section and the
+ output .eh_frame section is non-empty.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+
+CVE: CVE-2025-11494
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elfxx-x86.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c
+index d8c653a9ad2..140e86888a6 100644
+--- a/bfd/elfxx-x86.c
++++ b/bfd/elfxx-x86.c
+@@ -2445,6 +2445,8 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd,
+
+ if (htab->elf.sgotplt)
+ {
++ asection *eh_frame;
++
+ /* Don't allocate .got.plt section if there are no GOT nor PLT
+ entries and there is no reference to _GLOBAL_OFFSET_TABLE_. */
+ if ((htab->elf.hgot == NULL
+@@ -2457,7 +2459,11 @@ _bfd_x86_elf_late_size_sections (bfd *output_bfd,
+ && (htab->elf.iplt == NULL
+ || htab->elf.iplt->size == 0)
+ && (htab->elf.igotplt == NULL
+- || htab->elf.igotplt->size == 0))
++ || htab->elf.igotplt->size == 0)
++ && (!htab->elf.dynamic_sections_created
++ || (eh_frame = bfd_get_section_by_name (output_bfd,
++ ".eh_frame")) == NULL
++ || eh_frame->rawsize == 0))
+ {
+ htab->elf.sgotplt->size = 0;
+ /* Solaris requires to keep _GLOBAL_OFFSET_TABLE_ even if it