Heap Buffer Underread Vulnerability in GNU Wget Software
CVE-2026-58469
8.7HIGH
What is CVE-2026-58469?
The heap buffer underread vulnerability in GNU Wget affects versions up to 1.25.0. This flaw occurs in the clean_metalink_string() function, where processing a Metalink document with a whitespace-only URL can cause a pointer to decrement beyond the buffer's start. Exploitation may allow an attacker serving a specially crafted Metalink file to induce memory corruption, potentially leading to erratic application behavior. Users should apply the fix identified in commit 37a40fc to mitigate this issue.
Affected Version(s)
wget 0 <= 1.25.0
wget 0 <= 1.25.0
wget 37a40fcb450153f69537c7cbc2a7a4fb0b6f7826
