CVE-2025-14512 - Vulnerability Details

- Glib: integer overflow in glib gio attribute escaping causes heap buffer overflow

Description

A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.

Published: 2025-12-11

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an integer overflow in glib's GIO escape_byte_string() which results in a heap buffer overflow. When malicious file or remote filesystem attribute values are processed, the overflow can crash the application, causing a denial of service. This weakness is classified as an Integer Overflow (CWE‑190).

Affected Systems

Affected systems include GNOME glib, Red Hat Enterprise Linux versions 6 through 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4. The Common Platform Enumeration entries list all major releases of the platforms, but no specific glib version numbers are provided in the advisory.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. With an EPSS score of less than 1 %, the likelihood of exploitation is very low, and the vulnerability is not listed in CISA KEV. The attack vector is inferred from the description: it can be triggered by providing malicious file or remote filesystem attribute values, suggesting that an attacker would need access to the file system or a process that processes such attributes. No official workaround is available, so mitigation depends on applying the vendor patch.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GNOME

glib

unaffected

Version	Status	Constraints
`0`	affected	< 2.86.3

Red Hat

Red Hat Hardened Images

affected

Version	Status	Constraints
`2.88.0-1.1.hum1`	unaffected	< *

Red Hat Red Hat Enterprise Linux 10 affected —

Red Hat Red Hat Enterprise Linux 6 unknown —

Red Hat Red Hat Enterprise Linux 7 affected —

Red Hat Red Hat Enterprise Linux 8 affected —

Red Hat Red Hat Enterprise Linux 9 affected —

Red Hat Red Hat OpenShift Container Platform 4 affected —

Configuration 1 [-]

cpe:2.3:a:gnome:glib:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:redhat:openshift:4.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0::::-:::
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:10.0:::::::*

No data.

No data available yet.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

Apply the Red Hat security update RHSA‑2026:7461 that updates glib to a version that fixes the integer overflow.
Upgrade the GNOME glib package to the latest released version that contains the required patch.
Review and, if possible, restrict processing of untrusted file or remote filesystem attribute values before invoking GIO escape_byte_string() to prevent the overflow from being triggered.

Generated by OpenCVE AI on April 20, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4412-1	glib2.0 security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00075.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/errata/RHSA-2026:7461
https://access.redhat.com/security/cve/CVE-2025-14512
https://bugzilla.redhat.com/show_bug.cgi?id=2421339
https://gitlab.gnome.org/GNOME/glib/-/issues/3845
https://nvd.nist.gov/vuln/detail/CVE-2025-14512
https://www.cve.org/CVERecord?id=CVE-2025-14512

History

Sun, 19 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
References		https://access.redhat.com/errata/RHSA-2026:7461

Mon, 13 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat hummingbird
CPEs		cpe:/a:redhat:hummingbird:1
Vendors & Products		Redhat hummingbird

Thu, 19 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
References		https://gitlab.gnome.org/GNOME/glib/-/issues/3845

Fri, 06 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gnome Gnome glib
CPEs		cpe:2.3:a:gnome:glib:::::::: cpe:2.3:a:redhat:openshift:4.0:::::::* cpe:2.3:o:redhat:enterprise_linux:10.0:::::::* cpe:2.3:o:redhat:enterprise_linux:7.0:::::::* cpe:2.3:o:redhat:enterprise_linux:8.0::::-::: cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*
Vendors & Products		Gnome Gnome glib

Thu, 11 Dec 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 11 Dec 2025 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-14512 https://www.cve.org/CVERecord?id=CVE-2025-14512
Metrics	threat_severity `None`	threat_severity `Moderate`

Thu, 11 Dec 2025 07:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.
Title		Glib: integer overflow in glib gio attribute escaping causes heap buffer overflow
First Time appeared		Redhat Redhat enterprise Linux Redhat openshift
Weaknesses		CWE-190
CPEs		cpe:/a:redhat:openshift:4 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux Redhat openshift
References		https://access.redhat.com/security/cve/CVE-2025-14512 https://bugzilla.redhat.com/show_bug.cgi?id=2421339
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

Subscriptions

Gnome Glib

Redhat Enterprise Linux Hummingbird Openshift

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-12-11T07:11:02.182Z

Updated: 2026-04-19T19:38:20.655Z

Reserved: 2025-12-11T06:28:34.708Z

Link: CVE-2025-14512

Vulnrichment

Updated: 2025-12-11T14:57:03.170Z

NVD

Status : Modified

Published: 2025-12-11T07:16:00.463

Modified: 2026-04-19T20:16:20.753

Link: CVE-2025-14512

Redhat

Severity : Moderate

Publid Date: 2025-12-11T00:00:00Z

Links: CVE-2025-14512 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T15:30:06Z

Weaknesses

CWE-190

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object