CVE-2026-5928 (GCVE-0-2026-5928)

Vulnerability from cvelistv5 – Published: 2026-04-20 20:37 – Updated: 2026-04-20 20:37
VLAI?
Title
Static buffer overflow in deprecated nis_local_principal
Summary
Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.
Severity ?
No CVSS data available.
CWE
Assigner
References
Impacted products
Vendor Product Version
The GNU C Library glibc Affected: 2.1.1-89 , ≤ 2.43 (custom)
Create a notification for this product.
Credits
Rocket Ma
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "glibc",
          "vendor": "The GNU C Library",
          "versions": [
            {
              "lessThanOrEqual": "2.43",
              "status": "affected",
              "version": "2.1.1-89",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Rocket Ma"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\u003cbr\u003e\u003cbr\u003eA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp-\u0026gt;_IO_read_ptr) instead of the actual wide-stream read pointer (fp-\u0026gt;_wide_data-\u0026gt;_IO_read_ptr). The program crash may happen in cases where fp-\u0026gt;_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets."
            }
          ],
          "value": "Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\n\nA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp-\u003e_IO_read_ptr) instead of the actual wide-stream read pointer (fp-\u003e_wide_data-\u003e_IO_read_ptr). The program crash may happen in cases where fp-\u003e_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-540",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-540 Overread Buffers"
            }
          ]
        },
        {
          "capecId": "CAPEC-267",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-267 Leverage Alternate Encoding"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-127",
              "description": "CWE-127 Buffer under-read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-20T20:37:31.743Z",
        "orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
        "shortName": "glibc"
      },
      "references": [
        {
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33998"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Static buffer overflow in deprecated nis_local_principal",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
    "assignerShortName": "glibc",
    "cveId": "CVE-2026-5928",
    "datePublished": "2026-04-20T20:37:31.743Z",
    "dateReserved": "2026-04-08T22:47:29.814Z",
    "dateUpdated": "2026-04-20T20:37:31.743Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-5928\",\"sourceIdentifier\":\"3ff69d7a-14f2-4f67-a097-88dee7810d18\",\"published\":\"2026-04-20T21:16:36.963\",\"lastModified\":\"2026-04-20T21:16:36.963\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.\\n\\nA bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp-\u003e_IO_read_ptr) instead of the actual wide-stream read pointer (fp-\u003e_wide_data-\u003e_IO_read_ptr). The program crash may happen in cases where fp-\u003e_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.\"}],\"metrics\":{},\"weaknesses\":[{\"source\":\"3ff69d7a-14f2-4f67-a097-88dee7810d18\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-127\"}]}],\"references\":[{\"url\":\"https://sourceware.org/bugzilla/show_bug.cgi?id=33998\",\"source\":\"3ff69d7a-14f2-4f67-a097-88dee7810d18\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.