NULL pointer vulnerability in GNU Patch by GNU
CVE-2026-56288

4.6MEDIUM

Key Information:

Vendor

Gnu

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-56288?

GNU Patch suffers from a vulnerability that allows attackers to trigger a NULL pointer dereference when handling malformed unified-diff patch files. This occurs due to improper management of consecutive EOF newline markers, leading to data structure corruption within the application's patch processing. An attacker can exploit this flaw by supplying a malicious patch file, which may result in the utility crashing and causing a denial of service. The issue has been addressed in recent updates, ensuring the stability and security of the tool.

Affected Version(s)

patch 0 <= 2.8.0

References

CVSS V4

Score:
4.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michał Majchrowicz (AFINE Team)
Marcin Wyczechowski (AFINE Team)
.