Bug 2494873 - CVE-2026-58012 glib: buffer over-read in g_regex_replace() via glib/gregex.c:string_append() and g_utf8_next_char() [fedora-all]
Summary: CVE-2026-58012 glib: buffer over-read in g_regex_replace() via glib/gregex.c:...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: glib
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Paul Howarth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["cf8fc7ed-496d-4ddd-92d6-0...
Depends On:
Blocks: CVE-2026-58012
TreeView+ depends on / blocked
 
Reported: 2026-06-30 12:58 UTC by Guilherme de Almeida Suckevicz
Modified: 2026-06-30 14:29 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-06-30 14:29:32 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2026-06-30 12:58:10 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

A heap-buffer-overflow READ vulnerability exists in GLib's g_regex_replace() function when used with G_REGEX_RAW compile flag and case-change replacement escapes (\U, \L, \u, \l).
In G_REGEX_RAW mode, PCRE2 treats the subject string as raw bytes rather than UTF-8. Matched substrings can therefore contain arbitrary byte sequences that are not valid UTF-8. When the replacement string contains case-change escapes (e.g., \U\0 to uppercase the match), the internal string_append() function processes the matched substring using UTF-8 functions (g_utf8_get_char(), g_utf8_next_char()) which assume valid UTF-8 input. A multi-byte UTF-8 lead byte (e.g., 0xF4 indicating a 4-byte sequence) in the matched data causes these functions to read beyond the heap-allocated buffer.

Comment 1 Paul Howarth 2026-06-30 14:29:32 UTC
This is a glib2 issue, not a glib issue. There is no g_regex_replace function in glib version 1.


Note You need to log in before you can comment on or make changes to this bug.