CVE Catalog

CVE-2026-58012

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

A flaw was found in GLib where a buffer over-read occurs in the g_regex_replace function when using the G_REGEX_RAW compile flag and case-change replacement escapes. The string_append function processes matched substrings using UTF-8 functions that assume valid UTF-8 input, even when the string is treated as raw bytes. This can lead to minor information disclosure of 1-5 bytes and a denial of service when the buffer over-read crosses a page boundary.

Risk Assessment

The risk for the organization includes potential disclosure of a small amount of data (1-5 bytes) and the possibility of service disruption (DoS) when the buffer over-read crosses a page boundary.

Recommendation

It is recommended to immediately update the GLib library to a version that fixes this vulnerability. Also, avoid using the G_REGEX_RAW flag with the g_regex_replace function until a patch is applied.

Original NVD description (English source)

A flaw was found in GLib. A buffer over-read can occur in the g_regex_replace function when used with the `G_REGEX_RAW` compile flag and case-change replacement escapes because the string_append function processes matched substrings using UTF-8 functions that assume valid UTF-8 input, even when the string is treated as raw bytes. This vulnerability can cause a minor information disclosure of 1-5 bytes and a denial of service when the buffer over-read crosses a page boundary.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS