4.6

CVE-2026-56288

NULL Pointer Dereference in GNU patch

GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk (single block of changes in diff) data structures, causing the application to pass a NULL pointer to fwrite() during patch processing.
An attacker can trigger this condition with a malicious patch file, causing the utility to crash and resulting in a denial of service.



This issue has been fixed in the commit e6d6a4e021660679d7fc9150f981d4920f722313
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerGNU
Produkt patch
Default Statusunaffected
Version <= 2.8.0
Version 0
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cvd@cert.pl 4.6 0 0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://cert.pl/en/posts/2026/07/CVE-2026-56288
https://cgit.git.savannah.gnu.org/cgit/patch.git/
https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=e6d6a4e021660679d7fc9150f981d4920f722313