CVE-2026-58014
Received Received - Intake

Off-by-One Error in GLib Key File Parsing

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: Red Hat, Inc.

Description
A flaw was found in GLib. An off-by-one error can occur in the g_key_file_get_locale_string_list function in the gkeyfile.c file when loading a key file with an empty value. This flaw can cause an out-of-bounds access of 1 byte or a denial of service when the out-of-bounds access crosses a page boundary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-58014
EUVD
EUVD-2026-40316

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
glib glib *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58014 is a vulnerability in the GLib library caused by an off-by-one error in the function g_key_file_get_locale_string_list(). This error occurs when the function processes a key file containing an empty string value. Specifically, the function calculates the length of the string as zero and then attempts to access one byte before the start of the string, leading to an out-of-bounds read of 1 byte. This can cause a heap-buffer-overflow, potentially leading to a crash or other unexpected behavior.

Impact Analysis

This vulnerability can impact applications that use the GLib library to load key files from untrusted sources. An attacker could craft a specially formed key file with an empty value to trigger an out-of-bounds read, which may cause a denial of service (application crash) or potentially other unpredictable behavior. The severity is considered medium, and it affects any application calling g_key_file_get_locale_string_list() on such input.

Detection Guidance

This vulnerability occurs when an application loads a key file with an empty value and calls the function g_key_file_get_locale_string_list() from the glib library. Detection involves identifying if any applications on your system use this function to process untrusted key files, such as .desktop files or application configuration files.

To detect potential exploitation or presence of this vulnerability, you can:

  • Check for usage of glib and specifically the g_key_file_get_locale_string_list() function in your installed applications.
  • Monitor application logs for crashes or denial of service events related to key file processing.
  • Use debugging or memory analysis tools (e.g., AddressSanitizer, Valgrind) to detect out-of-bounds reads when loading key files.

There are no specific command-line commands provided in the resources to detect this vulnerability directly.

Mitigation Strategies

Immediate mitigation steps include:

  • Avoid loading or processing untrusted key files that may contain empty values in keys when using applications that rely on glib's g_key_file_get_locale_string_list() function.
  • Apply any available patches or updates to the glib library once they are released to fix the off-by-one error.
  • Restrict access to key files and ensure they come from trusted sources to reduce the risk of exploitation.
  • Monitor for updates from your OS or software vendors regarding fixes for this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58014. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart