Heap Buffer Underread Vulnerability in GNU Wget Software
CVE-2026-58469

8.7HIGH

Key Information:

Vendor

Gnuwget

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-58469?

The heap buffer underread vulnerability in GNU Wget affects versions up to 1.25.0. This flaw occurs in the clean_metalink_string() function, where processing a Metalink document with a whitespace-only URL can cause a pointer to decrement beyond the buffer's start. Exploitation may allow an attacker serving a specially crafted Metalink file to induce memory corruption, potentially leading to erratic application behavior. Users should apply the fix identified in commit 37a40fc to mitigate this issue.

Affected Version(s)

wget 0 <= 1.25.0

wget 0 <= 1.25.0

wget 37a40fcb450153f69537c7cbc2a7a4fb0b6f7826

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tristan Madani
.