Bug 2430079 - CVE-2026-0861 zig: Integer overflow in memalign leads to heap corruption [fedora-43]
Summary: CVE-2026-0861 zig: Integer overflow in memalign leads to heap corruption [fed...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: zig
Version: 43
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Jan Drögehoff
QA Contact:
URL:
Whiteboard: {"flaws": ["f06d781b-0779-4f8a-96b8-0...
: 2430074 2430075 2430077 (view as bug list)
Depends On:
Blocks: CVE-2026-0861
TreeView+ depends on / blocked
 
Reported: 2026-01-15 17:50 UTC by Guilherme de Almeida Suckevicz
Modified: 2026-03-24 17:45 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-03-24 17:45:07 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2026-01-15 17:50:16 UTC 
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 1 Jan Drögehoff 2026-01-22 09:12:16 UTC 
Zig does not vendor glibc source code however it does make use of `posix_memalign` and can be made to pass an alignment of `1 << 63` to glibc.
Its been reported to upstream though I see it unlikely to be a major vulnerability to any zig program.
Comment 2 Jan Drögehoff 2026-01-22 09:19:23 UTC 
*** Bug 2430077 has been marked as a duplicate of this bug. ***
Comment 3 Jan Drögehoff 2026-01-22 09:19:24 UTC 
*** Bug 2430075 has been marked as a duplicate of this bug. ***
Comment 4 Jan Drögehoff 2026-01-22 09:19:25 UTC 
*** Bug 2430074 has been marked as a duplicate of this bug. ***
Comment 5 Jan Drögehoff 2026-03-24 17:45:07 UTC 
Upstream considers this issue to be neglible for them and only exploitable through misuse of the standard library.
Note You need to log in before you can comment on or make changes to this bug.