Denial of Service Vulnerability in GNU Patch by GNU
CVE-2026-56289

4.6MEDIUM

Key Information:

Vendor

Gnu

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-56289?

GNU Patch contains a flaw that allows for denial of service due to inadequate verification of line offsets in unified-diff input. An attacker can exploit this by crafting a malicious patch that specifies a massive line number, leading the application to enter an infinite processing loop. This behavior causes significant CPU usage and renders the application unresponsive, necessitating manual termination. Users are advised to update to the latest version where this vulnerability has been addressed in commit faba04ef4f2b410257f76c1b9dc85e350929c4b9.

Affected Version(s)

patch 0 <= 2.8.0

References

CVSS V4

Score:
4.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michał Majchrowicz (AFINE Team)
Marcin Wyczechowski (AFINE Team)
.