Heap Buffer Overflow in GNU Wget Affects Multiple Versions
CVE-2026-58471

6MEDIUM

Key Information:

Vendor

Gnuwget

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-58471?

GNU Wget versions up to 1.25.0 are susceptible to a heap buffer overflow in the convert_fname() function located in src/url.c. This vulnerability allows remote attackers to execute a memory corruption exploit by supplying a crafted filename that requires character set conversion. The flaw arises when the allocation process misjudges the buffer's remaining space during an iconv E2BIG reallocation. As a result, malicious server responses can lead to a potential compromise of the affected system.

Affected Version(s)

wget 0 <= 1.25.0

wget 0 <= 1.25.0

wget c2640fe5171c59f87c58dc9fcb195b2d18b010ee

References

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tristan Madani
.