CVE-2026-5450 - Vulnerability Details - OpenCVE

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5450", "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "state": "PUBLISHED", "assignerShortName": "glibc", "dateReserved": "2026-04-02T21:47:21.403Z", "datePublished": "2026-04-20T20:55:41.170Z", "dateUpdated": "2026-04-21T19:49:53.221Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "shortName": "glibc", "dateUpdated": "2026-04-20T20:55:41.170Z"}, "title": "scanf %mc off-by-one heap buffer overflow", "datePublic": "2026-03-19T17:36:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "CWE-122 Heap-based buffer overflow", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "affected": [{"vendor": "The GNU C Library", "product": "glibc", "versions": [{"status": "affected", "version": "2.7", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow."}]}], "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450", "tags": ["issue-tracking"]}, {"url": "https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u", "tags": ["mailing-list"]}], "credits": [{"lang": "en", "value": "Rocket Ma", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T16:11:50.875542Z", "id": "CVE-2026-5450", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:49:53.221Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5450", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T16:11:50.875542Z"}}}], "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T16:04:17.997Z"}}], "cna": {"title": "scanf %mc off-by-one heap buffer overflow", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Rocket Ma"}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "affected": [{"vendor": "The GNU C Library", "product": "glibc", "versions": [{"status": "affected", "version": "2.7", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-19T17:36:00.000Z", "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450", "tags": ["issue-tracking"]}, {"url": "https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u", "tags": ["mailing-list"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.", "supportingMedia": [{"type": "text/html", "value": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122 Heap-based buffer overflow"}]}], "providerMetadata": {"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "shortName": "glibc", "dateUpdated": "2026-04-20T20:55:41.170Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5450", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:49:53.221Z", "dateReserved": "2026-04-02T21:47:21.403Z", "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "datePublished": "2026-04-20T20:55:41.170Z", "assignerShortName": "glibc"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*", "matchCriteriaId": "36C44C9A-5EBA-4114-8379-A022AE49F18E", "versionEndIncluding": "2.43", "versionStartIncluding": "2.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow."}], "id": "CVE-2026-5450", "lastModified": "2026-04-23T15:33:34.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T21:16:36.850", "references": [{"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "tags": ["Third Party Advisory"], "url": "https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u"}, {"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "tags": ["Exploit", "Issue Tracking"], "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"], "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"}], "sourceIdentifier": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "glibc: glibc: Heap Buffer Overflow in `scanf` with `%mc` format specifier and large width", "id": "2459853", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459853"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["A flaw was found in glibc (GNU C Library). This vulnerability occurs when an application uses the `scanf` family of functions with a `%mc` format specifier, which is used for dynamically allocating memory for character input, and provides an explicit width greater than 1024. This specific combination can lead to a one-byte heap buffer overflow, potentially allowing an attacker to corrupt memory."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-5450", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "compat-glibc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "compat-glibc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Fix deferred", "package_name": "glibc", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-20T20:55:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5450\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5450\nhttps://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u\nhttps://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.7,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "glibc", "source": "cna", "vendor": "The GNU C Library"}, "product": "glibc", "vendor": "the_gnu_c_library"}], "analysis": {"en": {"generated_at": "2026-04-28T21:32:19.680835+00:00", "value": {"mitigation_remediation": ["Upgrade the GNU C Library to a patched release (e.g., glibc 2.44 or newer) that contains the bound\u2011checking fix for the %mc conversion specifier.", "If an upgrade is not immediately possible, modify application code to avoid using scanf with the %mc specifier and an explicit width greater than 1024; replace with safer parsing routines such as fgets and manual length checks.", "Ensure that memory protection mechanisms\u2014including stack canaries, address space layout randomization, position\u2011independent executables, and hardware\u2011level memory safety features\u2014are enabled on all affected binaries to mitigate the impact of potential residual corruption."], "summary": {"action": "Patch glibc", "impact": "Heap Buffer Overflow (memory corruption)"}, "threat_synthesis": {"affected_systems": "All systems that link against the GNU C Library between versions 2.7 and 2.43 are affected. This includes most Linux distributions, as well as applications compiled against these glibc releases. Users running binaries that compile with the unmodified library and that process external input via scanf with the %mc specifier are at risk.", "description_and_impact": "The vulnerability occurs when an application invokes a scanf family function with the %mc conversion specifier and specifies an explicit width greater than 1024. This causes an off\u2011by\u2011one write on a heap buffer and can corrupt adjacent memory. The resulting memory corruption falls under CWE\u2011122, CWE\u2011131, and CWE\u2011787, and may lead to program crash, data integrity loss, or, if an attacker can influence subsequent execution, remote code execution.", "risk_and_exploitability": "The EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation at present. The CVSS score of 9.8 reflects a high severity due to the potential for arbitrary memory overwrite on the heap. Based on the description, the likely attack vector is an attacker supplying crafted input that is handled by scanf with a large width, which may be local or remote depending on the application. Exploitation requires reaching the vulnerable scanf call, but because the overflow is only one byte, the difficulty is moderate; an attacker must control the input boundary to influence neighboring heap objects or trigger a crash. If an application can be coerced to execute arbitrary code after the heap corruption, privilege escalation or remote code execution may be achieved."}}}}, "created": "2026-04-20T23:00:12.741832+00:00", "updated": "2026-04-28T21:45:26.133229+00:00", "vendors": ["the_gnu_c_library", "the_gnu_c_library$PRODUCT$glibc"]}