CVE-2026-58014
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
A flaw was found in GLib. An off-by-one error can occur in the g_key_file_get_locale_string_list function in the gkeyfile.c file when loading a key file with an empty value. This flaw can cause an out-of-bounds access of 1 byte or a denial of service when the out-of-bounds access crosses a page boundary.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| GNOME | GLib | 0 < 2.88.1 | affected |
Weaknesses
- CWE-193: Off-by-one Error
Workarounds
To mitigate this vulnerability, implement input validation to sanitize untrusted key files (such as .desktop or .ini files), specifically rejecting or stripping empty values before calling g_key_file_get_locale_string_list(). Alternatively, restricting the application to only load key files from trusted sources will completely neutralize this issue.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
References
- https://access.redhat.com/security/cve/CVE-2026-58014
- https://bugzilla.redhat.com/show_bug.cgi?id=2492255
- https://gitlab.gnome.org/GNOME/glib/-/issues/3930
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.