Bug 2440139 (CVE-2026-2574) - CVE-2026-2574 glib-networking: glib-networking: Denial of Service and information disclosure via crafted TLS client-CA list
Summary: CVE-2026-2574 glib-networking: glib-networking: Denial of Service and informa...
Keywords:
Status: NEW
Alias: CVE-2026-2574
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-16 05:03 UTC by OSIDB Bzimport
Modified: 2026-02-16 05:25 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-16 05:03:59 UTC 
Out-of-Bounds Read and Invalid Free vulnerability in the OpenSSL backend of the glib-networking library. The flaw resides in the g_tls_client_connection_openssl_get_property() function of GTlsClientConnectionOpenssl, where i2d_X509_NAME() advances a pointer passed by reference. The code allocates a buffer using g_malloc(), then passes the pointer directly to i2d_X509_NAME(), which increments it to the end of the encoded data. This advanced pointer is subsequently stored in a GByteArray, causing reads from ba->data[0] to access memory outside of the allocated buffer and leading to an out-of-bounds heap read. Additionally, freeing the GByteArray results in freeing an interior pointer rather than the original allocation base, triggering invalid free and undefined behavior. A malicious TLS server that advertises a crafted client-CA list can remotely trigger this condition when a client using the OpenSSL backend connects, leading to denial-of-service and potential limited heap memory disclosure.
Note You need to log in before you can comment on or make changes to this bug.