Integer Overflow Vulnerability in Gawk by GNU
CVE-2026-40469

5.1MEDIUM

Key Information:

Vendor

Gnu

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-40469?

An integer overflow vulnerability in the 'do_sub()' routine of the 'builtin.c' file within Gawk allows for the potential corruption of heap metadata and objects. This flaw specifically impacts 32-bit builds of Gawk in versions up to and including 5.4.0, which may lead to program crashes. By exploiting this vulnerability, an attacker could manipulate memory management within the application, resulting in unexpected behavior and stability issues.

Affected Version(s)

gawk 32 bit 0 <= 5.4.0

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michał Majchrowicz (AFINE)
Marcin Wyczechowski (AFINE)
.