CRITICAL🇵🇱 Wersja polska

CVE-2026-5450

CVSS 9.8v3.1pub. 2026-04-20upd. 2026-04-23

Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.

🤖 AI Analysis
How it works

The bug (CWE-122, CWE-787) manifests when using the %mc format specifier (malloc'd character match) in combination with a field width (width specifier) value greater than 1024. In such a situation, the scanf family function incorrectly calculates the size of the allocated heap buffer, resulting in writing one byte beyond its boundary (off-by-one heap buffer overflow). Incorrect write to the heap can lead to corruption of memory management structures.

Impact

An attacker can cause arbitrary code execution (RCE), violation of data confidentiality and integrity, or service unavailability. Network vector without authentication requirements and user interaction (AV:N/AC:L/PR:N/UI:N) significantly increases the risk of exploitation.

Mitigation & patch

Update glibc to a version that does not contain the vulnerability according to information published by the vendor (announcement available at the address indicated in the references). Until the update is applied, it is recommended to avoid processing untrusted input data through scanf family functions using the %mc specifier with field width exceeding 1024.

Who is affected

GNU C Library (glibc) in versions from 2.7 to 2.43 inclusive — affects Linux systems and other environments using glibc within this version range.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Gnu Glibc

    APP
    Gnu
    2.7 – 2.43
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2023-25139CRITICAL9.8ten sam produkt

sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with ...

CVE-2022-23219CRITICAL9.8ten sam produkt

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) throug...

CVE-2022-23218CRITICAL9.8ten sam produkt

The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) thr...

CVE-2021-35942CRITICAL9.1ten sam produkt

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse...

CVE-2021-33574CRITICAL9.8ten sam produkt

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may us...