NULL pointer vulnerability in GNU Patch by GNU
CVE-2026-56288
4.6MEDIUM
What is CVE-2026-56288?
GNU Patch suffers from a vulnerability that allows attackers to trigger a NULL pointer dereference when handling malformed unified-diff patch files. This occurs due to improper management of consecutive EOF newline markers, leading to data structure corruption within the application's patch processing. An attacker can exploit this flaw by supplying a malicious patch file, which may result in the utility crashing and causing a denial of service. The issue has been addressed in recent updates, ensuring the stability and security of the tool.
Affected Version(s)
patch 0 <= 2.8.0
References
CVSS V4
Score:
4.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Michał Majchrowicz (AFINE Team)
Marcin Wyczechowski (AFINE Team)