Bug 2499972 - CVE-2026-58472 wget2: GNU Wget: Arbitrary code execution or denial of service via crafted HTML attribute [fedora-all]
Summary: CVE-2026-58472 wget2: GNU Wget: Arbitrary code execution or denial of service...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: wget2
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Neal Gompa
QA Contact:
URL:
Whiteboard: {"flaws": ["2d586b1b-ffc9-49c3-8c68-7...
Depends On:
Blocks: CVE-2026-58472
TreeView+ depends on / blocked
 
Reported: 2026-07-14 13:02 UTC by Srikanth Balasubramanian
Modified: 2026-07-16 07:48 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-07-16 07:48:57 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Srikanth Balasubramanian 2026-07-14 13:02:39 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.

Comment 1 Michal Ruprich 2026-07-16 07:48:57 UTC
This CVE is not applicable for wget2, only for the original GNU Wget. wget2 is a complete re-write and does not share any code with wget. Closing.


Note You need to log in before you can comment on or make changes to this bug.