CVE-2026-57053
Received Received - Intake
Out-of-Bounds Read in GNU libidn Before 1.44

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: MITRE

Description
GNU libidn before 1.44 is prone to out-of-bounds reads of uninitialized memory in the ToUnicode APIs because of mishandling in idna_to_unicode_internal. The affected code is not present in libidn2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-57053
EUVD
EUVD-2026-38523
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
gnu libidn to 1.44 (exc)
gnu libidn From 0.1.15 (inc) to 1.43 (inc)
gnu libidn 1.44
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in GNU Libidn's ToUnicode APIs can lead to incorrect normalization of domain names, which may affect security decisions in applications relying on Libidn for domain normalization, such as allowlist/blocklist checks, routing, or logging.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, improper domain normalization could potentially lead to security risks such as unauthorized access or data leakage if domain-based controls are bypassed.

Therefore, organizations using affected versions of Libidn might face indirect compliance challenges if this vulnerability leads to security incidents impacting personal or sensitive data protected under such regulations.

Executive Summary

The vulnerability in GNU Libidn before version 1.44 involves an out-of-bounds read of uninitialized memory in the ToUnicode APIs, specifically in the function idna_to_unicode_internal. This happens because the function mishandles the decoding and comparison of ACE (ASCII Compatible Encoding) labels that start with the prefix "xn--". When the decoded label is a short ASCII string (less than 4 characters), the code incorrectly assumes the presence of the prefix and ends up reading uninitialized stack memory. This can cause invalid ACE labels like "xn--com-" or "xn--www-" to be normalized incorrectly to "com" or "www", potentially affecting domain normalization processes.

This issue is stack-layout dependent and can persist across multiple API calls in long-running processes. It affects Libidn versions from at least 2003 up to 1.43, but not Libidn2. The problem was detected using Differential Memory Sanitizer (DMSAN) and fixed in Libidn version 1.44.

Impact Analysis

This vulnerability can impact applications that rely on GNU Libidn for domain name normalization, such as allowlist or blocklist checks, routing decisions, or logging. Because invalid ACE labels may be incorrectly normalized to valid domain names, security decisions based on these normalized names could be bypassed or misapplied.

For example, an attacker could craft domain names that appear safe or allowed by the application but actually exploit the normalization flaw to bypass security controls. This could lead to incorrect routing, logging inaccuracies, or unauthorized access if domain-based filtering is used.

The severity of this issue is considered low, but it can still cause integrity and availability impacts in affected systems.

Detection Guidance

The vulnerability in GNU Libidn involves out-of-bounds reads of uninitialized memory in the ToUnicode APIs, specifically in the idna_to_unicode_internal() function. Detection was originally performed using Differential Memory Sanitizer (DMSAN), a tool that can identify uninitialized memory reads during program execution.

To detect this vulnerability on your system, you can run tests or fuzzing on the libidn ToUnicode API calls using tools like DMSAN or other memory sanitizers that detect uninitialized memory usage.

There are no specific network commands provided to detect this vulnerability directly, but you can check the version of libidn installed on your system with commands such as:

  • dpkg -l | grep libidn # On Debian/Ubuntu systems
  • rpm -qa | grep libidn # On RedHat/CentOS systems

If you want to test the vulnerable API behavior, you would need to run custom test programs or scripts that call the ToUnicode APIs with crafted inputs that trigger the uninitialized memory read, but no ready-made commands are provided in the resources.

Mitigation Strategies

The primary mitigation step is to upgrade GNU Libidn to version 1.44 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, applying the patch suggested in the initial report to the affected versions (0.1.15 through 1.43) is recommended.

Avoid using the vulnerable ToUnicode APIs in security-critical applications until the fix is applied, as the vulnerability can cause incorrect domain normalization affecting allowlist/blocklist checks, routing, or logging.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57053. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart