Bug 2492247 (CVE-2026-58012) - CVE-2026-58012 glib: buffer over-read in g_regex_replace() via glib/gregex.c:string_append() and g_utf8_next_char()
Summary: CVE-2026-58012 glib: buffer over-read in g_regex_replace() via glib/gregex.c:...
Keywords:
Status: NEW
Alias: CVE-2026-58012
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2494874 2494875 2494873
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 16:49 UTC by OSIDB Bzimport
Modified: 2026-06-30 12:58 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 16:49:19 UTC
A heap-buffer-overflow READ vulnerability exists in GLib's g_regex_replace() function when used with G_REGEX_RAW compile flag and case-change replacement escapes (\U, \L, \u, \l).
In G_REGEX_RAW mode, PCRE2 treats the subject string as raw bytes rather than UTF-8. Matched substrings can therefore contain arbitrary byte sequences that are not valid UTF-8. When the replacement string contains case-change escapes (e.g., \U\0 to uppercase the match), the internal string_append() function processes the matched substring using UTF-8 functions (g_utf8_get_char(), g_utf8_next_char()) which assume valid UTF-8 input. A multi-byte UTF-8 lead byte (e.g., 0xF4 indicating a 4-byte sequence) in the matched data causes these functions to read beyond the heap-allocated buffer.


Note You need to log in before you can comment on or make changes to this bug.