CVE-2026-5928
Received Received - Intake
Buffer Under-Read in GNU C Library ungetwc Causes Data Leak

Publication date: 2026-04-20

Last updated on: 2026-04-23

Assigner: GNU C Library

Description
Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-04-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-5928
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gnu glibc to 2.43 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-127 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the GNU C Library version 2.43 or earlier when the ungetwc function is called on a FILE stream containing wide characters encoded in a character set where single byte and multi-byte character encodings overlap.

Due to a bug in the wide character pushback implementation, ungetwc operates on the wrong buffer pointer, which can cause it to read bytes before the allocated buffer.

This can lead to either unintentional disclosure of adjacent heap data or a program crash if the buffer pointer is uninitialized.

The issue requires a special character encoding with overlapping single and multi-byte representations, which does not occur in standard Unicode character sets.


How can this vulnerability impact me? :

The vulnerability can cause a program crash or potentially expose neighboring data in memory unintentionally.

This means that sensitive information stored adjacent in the heap memory could be disclosed if exploited under the right conditions.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart