Description
A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.
Published: 2025-12-10
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential Code Execution
Action: Apply Patch
AI Analysis

Impact

A buffer‑underflow flaw in GLib’s GVariant parser can corrupt heap memory when processing maliciously crafted strings. The consequence is a denial of service or, in the worst case, arbitrary code execution as the corrupted memory can be leveraged to overwrite critical data structures. The weakness is classified as a heap based buffer overflow (CWE‑122) and involves integer conversion errors (CWE‑190).

Affected Systems

The vulnerability affects the GNOME GLib library and a range of Red Hat Enterprise Linux releases from 6 up through 10, including Red Hat Hardened Images. Any system that relies on the vulnerable version of GLib may be impacted, especially services that parse untrusted data with GVariant.

Risk and Exploitability

The CVSS score of 5.6 indicates a moderate severity, and the EPSS score of less than 1% implies a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote attacker supplying malicious input to an application that uses the vulnerable GVariant parser; this requires the attacker to have a path to inject or influence the data processed by the parser.

Generated by OpenCVE AI on April 20, 2026 at 15:27 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the security update provided in RHSA-2026:7461 to install a patched version of GLib; this is the official vendor solution.
  • Ensure that any input parsed by GVariant is strictly validated and originates from trusted sources; reject or sanitize malformed or oversized strings before they reach the parser.
  • If a patch cannot be applied immediately, restrict the scope of the vulnerable library by running affected services in isolated containers or with mandatory access controls such as SELinux to contain potential code execution.

Generated by OpenCVE AI on April 20, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4412-1 glib2.0 security update
Ubuntu USN Ubuntu USN USN-7942-1 GLib vulnerabilities
Ubuntu USN Ubuntu USN USN-7942-2 GLib vulnerabilities
History

Sun, 19 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
References

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird

Wed, 18 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
References

Fri, 06 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Gnome
Gnome glib
CPEs cpe:2.3:a:gnome:glib:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Gnome
Gnome glib

Wed, 10 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 10 Dec 2025 09:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.
Title Glib: glib: buffer underflow in gvariant parser leads to heap corruption
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-190
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Gnome Glib
Redhat Enterprise Linux Hummingbird
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-19T19:38:15.686Z

Reserved: 2025-12-05T08:42:34.987Z

Link: CVE-2025-14087

cve-icon Vulnrichment

Updated: 2025-12-10T14:45:51.052Z

cve-icon NVD

Status : Modified

Published: 2025-12-10T09:15:47.053

Modified: 2026-04-19T20:16:20.380

Link: CVE-2025-14087

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-12-05T00:00:00Z

Links: CVE-2025-14087 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:30:06Z

Weaknesses