CVE-2026-58471
Received Received - Intake

Heap Buffer Overflow in GNU Wget

Vulnerability report for CVE-2026-58471, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: VulnCheck

Description

GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gnu wget to 1.25.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a heap buffer overflow in GNU Wget versions up to 1.25.0, specifically in the convert_fname() function located in src/url.c. It occurs when a server supplies a filename that requires character set conversion. During this process, if the output buffer is too small during iconv E2BIG reallocation, the logic that reallocates the buffer miscalculates the remaining space. This miscalculation leads to a heap buffer overflow, which can be triggered remotely by a maliciously crafted server response.

Impact Analysis

The heap buffer overflow caused by this vulnerability can lead to memory corruption. This may allow an attacker to cause a denial of service or potentially execute arbitrary code on the affected system. Since the vulnerability can be triggered remotely via a malicious server response, users of vulnerable GNU Wget versions are at risk when downloading files from untrusted or compromised servers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58471. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart