Denial of Service Vulnerability in GNU Patch by GNU
CVE-2026-56289
4.6MEDIUM
What is CVE-2026-56289?
GNU Patch contains a flaw that allows for denial of service due to inadequate verification of line offsets in unified-diff input. An attacker can exploit this by crafting a malicious patch that specifies a massive line number, leading the application to enter an infinite processing loop. This behavior causes significant CPU usage and renders the application unresponsive, necessitating manual termination. Users are advised to update to the latest version where this vulnerability has been addressed in commit faba04ef4f2b410257f76c1b9dc85e350929c4b9.
Affected Version(s)
patch 0 <= 2.8.0
References
CVSS V4
Score:
4.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Michał Majchrowicz (AFINE Team)
Marcin Wyczechowski (AFINE Team)