Bug 2448747 (CVE-2026-26740) - CVE-2026-26740 giflib: giflib: Denial of Service via buffer overflow in EGifGCBToExtension
Summary: CVE-2026-26740 giflib: giflib: Denial of Service via buffer overflow in EGifG...
Keywords:
Status: NEW
Alias: CVE-2026-26740
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2448828 2448829 2448831 2448832 2448833 2448834 2448835 2448836 2448830
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-18 19:03 UTC by OSIDB Bzimport
Modified: 2026-06-30 23:31 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:33447 0 None None None 2026-06-30 09:37:23 UTC
Red Hat Product Errata RHSA-2026:33450 0 None None None 2026-06-30 10:02:27 UTC
Red Hat Product Errata RHSA-2026:33451 0 None None None 2026-06-30 10:07:27 UTC
Red Hat Product Errata RHSA-2026:33452 0 None None None 2026-06-30 10:30:48 UTC
Red Hat Product Errata RHSA-2026:33455 0 None None None 2026-06-30 10:24:41 UTC
Red Hat Product Errata RHSA-2026:33456 0 None None None 2026-06-30 10:46:33 UTC
Red Hat Product Errata RHSA-2026:33501 0 None None None 2026-06-30 23:31:49 UTC
Red Hat Product Errata RHSA-2026:33502 0 None None None 2026-06-30 22:55:46 UTC
Red Hat Product Errata RHSA-2026:33503 0 None None None 2026-06-30 14:24:06 UTC
Red Hat Product Errata RHSA-2026:33509 0 None None None 2026-06-30 13:59:05 UTC

Description OSIDB Bzimport 2026-03-18 19:03:00 UTC
Buffer Overflow vulnerability in giflib v.5.2.2 allows a remote attacker to cause a denial of service via the EGifGCBToExtension overwriting an existing Graphic Control Extension block without validating its allocated size.

Comment 2 Thiago Osório 2026-05-27 17:43:11 UTC
Hi, team. I hope you're doing well. 

  Do we have an ETA for the fix for this CVE-2026-26740 vulnerability to the Red Hat build of OpenJDK 21 (java-21-openjdk-portable)?

  Regards.

Comment 3 Francisco Ferrari Bihurriet 2026-05-27 22:31:59 UTC
Hi,

Here is a public disclosure of the issue:
  https://github.com/zakkanijia/POC/blob/main/giflib/giftool/giflib_giftool_gce_len_heap_oobwrite_disclosure.md

The affected components are the EGifGCBToExtension and EGifGCBToSavedExtension functions, implemented in egif_lib.c:
  https://sourceforge.net/p/giflib/code/ci/6.1.3/tree/egif_lib.c#l658
  https://sourceforge.net/p/giflib/code/ci/6.1.3/tree/egif_lib.c#l675

This is not resolved in GifLib upstream yet, probably addressed by one of the patches attached to the following issues:
  GifLib bug #​199: Buffer Overflow vulnerability in giflib
  https://sourceforge.net/p/giflib/bugs/199/
  GifLib bug #​201: Heap buffer overflow in EGifGCBToSavedExtension on malformed Graphics Control Extension
  https://sourceforge.net/p/giflib/bugs/201/

Here is a discussion with the maintainers, where they mention a fix is in the pipeline:
  https://sourceforge.net/p/giflib/mailman/giflib-devel/thread/SAWPR05MB99856275F12A2F9834E58B8CE9B356A%40SAWPR05MB998562.namprd05.prod.outlook.com/#msg59313739

However, OpenJDK sources do not include egif_lib.c, and the only occurrences of these functions in OpenJDK code are their declarations in gif_lib.h:
  https://github.com/openjdk/jdk/blob/jdk-27+22/src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h#L282-L283
  https://github.com/openjdk/jdk/blob/jdk-27+22/src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h#L287-L288

Thus, to my understanding, none of the OpenJDK versions are affected by CVE-2026-26740, because they do NOT ship the vulnerable code.

Comment 4 errata-xmlrpc 2026-06-30 09:37:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:33447 https://access.redhat.com/errata/RHSA-2026:33447

Comment 5 errata-xmlrpc 2026-06-30 10:02:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:33450 https://access.redhat.com/errata/RHSA-2026:33450

Comment 6 errata-xmlrpc 2026-06-30 10:07:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:33451 https://access.redhat.com/errata/RHSA-2026:33451

Comment 7 errata-xmlrpc 2026-06-30 10:24:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On

Via RHSA-2026:33455 https://access.redhat.com/errata/RHSA-2026:33455

Comment 8 errata-xmlrpc 2026-06-30 10:30:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions

Via RHSA-2026:33452 https://access.redhat.com/errata/RHSA-2026:33452

Comment 9 errata-xmlrpc 2026-06-30 10:46:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:33456 https://access.redhat.com/errata/RHSA-2026:33456

Comment 10 errata-xmlrpc 2026-06-30 13:59:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:33509 https://access.redhat.com/errata/RHSA-2026:33509

Comment 11 errata-xmlrpc 2026-06-30 14:24:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:33503 https://access.redhat.com/errata/RHSA-2026:33503

Comment 12 errata-xmlrpc 2026-06-30 22:55:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:33502 https://access.redhat.com/errata/RHSA-2026:33502

Comment 13 errata-xmlrpc 2026-06-30 23:31:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:33501 https://access.redhat.com/errata/RHSA-2026:33501


Note You need to log in before you can comment on or make changes to this bug.