Home

Description

GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.

PUBLISHED Reserved 2026-06-30 | Published 2026-07-07 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

Out-of-bounds Read

Product status

Default status
affected

Any version
affected

37a40fcb450153f69537c7cbc2a7a4fb0b6f7826 (git)
unaffected

Credits

Tristan Madani finder

References

gitlab.com/...ommit/37a40fcb450153f69537c7cbc2a7a4fb0b6f7826 (Fix Commit) patch

www.vulncheck.com/...ffer-underread-via-metalink-url-parsing third-party-advisory

cve.org (CVE-2026-58469)

nvd.nist.gov (CVE-2026-58469)

Download JSON