GNU Patch & Wget: Six Vulnerabilities Including Heap Overflows and DoS Disclosed Together
Six vulnerabilities disclosed in GNU patch and GNU Wget, including memory corruption and DoS flaws, patched by Debian and specific commits.

Key findings
- Six vulnerabilities disclosed in GNU patch and GNU Wget between July 8-10, 2026.
- GNU patch vulnerable to NULL pointer dereference and DoS via crafted patch files (CVE-2026-56288, CVE-2026-56289).
- GNU Wget (<=1.25.0) affected by heap overflows, underread, and integer overflow (CVE-2026-58472, CVE-2026-58470, CVE-2026-58469, CVE-2026-58471).
- Vulnerabilities stem from improper input validation and memory handling.
- Fixes for Wget are in specific commits; patch issues addressed by Debian.
On July 8-10, 2026, a batch of six vulnerabilities was disclosed across two core GNU utilities: GNU patch and GNU Wget. The disclosures, primarily from Debian, highlight issues ranging from NULL pointer dereferences and denial-of-service vulnerabilities in GNU patch to heap buffer overflows, underreads, and integer overflows in GNU Wget. These vulnerabilities could allow attackers to corrupt memory or cause applications to enter infinite loops, potentially leading to denial of service or further system compromise.
The vulnerabilities in GNU patch, CVE-2026-56288 and CVE-2026-56289, stem from improper handling of specially crafted unified-diff patch files. CVE-2026-56288 involves a NULL pointer dereference when processing consecutive end-of-file newline markers, leading to a NULL pointer being passed to fwrite(). CVE-2026-56289 addresses a denial-of-service vulnerability where improper validation of hunk line offsets in unified-diff input can cause an infinite processing loop due to an extremely large line number specification.
GNU Wget is affected by four vulnerabilities disclosed on July 8, 2026. CVE-2026-58472 and CVE-2026-58471 are heap buffer overflows. The former occurs in the html_quote_string() function due to a crafted HTML attribute with a large number of characters requiring entity encoding, while the latter is in the convert_fname() function triggered by a server-supplied filename requiring character set conversion. CVE-2026-58469 is a heap buffer underread in the clean_metalink_string() function, exploitable by a malicious server serving a Metalink document with a whitespace-only URL. Finally, CVE-2026-58470 is an integer overflow vulnerability in the parse_content_range() function, triggered by malicious Content-Range header values, leading to undefined behavior.
These vulnerabilities affect GNU Wget versions up to 1.25.0, with fixes implemented in specific commits (dd692d9, 43d3ba9, 37a40fc, and c2640fe). The GNU patch vulnerabilities were patched by Debian, indicating a need for users to update their systems with the latest security patches.
Users of GNU patch and GNU Wget are advised to apply security updates as soon as they become available. The coordinated disclosure of these vulnerabilities across different GNU utilities underscores the importance of timely patching and vigilance against malformed inputs that could lead to memory corruption or denial-of-service conditions.
The fixes for the GNU Wget vulnerabilities were addressed in commit dd692d9, 43d3ba9, 37a40fc, and c2640fe. The GNU patch vulnerabilities were addressed by Debian.
The vulnerabilities in GNU Wget (CVE-2026-58472, CVE-2026-58470, CVE-2026-58469, CVE-2026-58471) affect versions up to 1.25.0. The GNU patch vulnerabilities (CVE-2026-56288, CVE-2026-56289) were patched by Debian.
This batch of vulnerabilities highlights potential weaknesses in input validation and memory handling within widely used GNU utilities. Users should prioritize updating their systems to mitigate risks associated with these flaws.