Description
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of Service (DoS) via parsing a crafted input.
Published: 2026-06-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An issue in the parse_month function of the relibc library allows an attacker to cause a denial of service by feeding a specifically crafted date string to the parser. The flaw arises during month parsing and can lead to a crash or infinite loop, halting the component that relies on this routine. Because the function can be invoked with user-supplied data, the impact is a disruption of service continuity rather than a direct compromise of confidentiality or integrity.

Affected Systems

The vulnerability affects the relibc component used in Redox OS, specifically the commit identified as ab6a2e prior to the merge request 990 that contains the fix. Any Redox OS installation or software bundle that includes this version of relibc and calls parse_month could be impacted. The references include the issue tracker and merge requests on the Redox OS GitLab repository.

Risk and Exploitability

The CVSS score is 7.5, indicating moderate to high severity. EPSS Score is <1%, suggesting low exploit probability. The vulnerability is not listed in the CISA KEV catalog, implying that there are no publicly known reliable exploits at the time of analysis. Nonetheless, an attacker can trigger a DoS by sending a malformed date string to any service that processes user dates via parse_month. Successful exploitation would render that component unavailable but would not grant code execution or credential compromise.

Generated by OpenCVE AI on June 29, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade relibc to the patched version in merge request 990 or later
  • Validate or sanitize all date strings before invoking parse_month to ensure only legitimate month values are accepted
  • Where possible, replace parse_month calls with a safer date parsing routine that is not vulnerable to crafted input

Generated by OpenCVE AI on June 29, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Redox-os
Redox-os relibc
Vendors & Products Redox-os
Redox-os relibc

Mon, 29 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Malformed Date Parsing in relibc's parse_month

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Malformed Date Parsing in relibc's parse_month
Weaknesses CWE-20

Fri, 26 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of Service (DoS) via parsing a crafted input.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-29T13:56:45.267Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38639

cve-icon Vulnrichment

Updated: 2026-06-29T13:55:40.907Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:08:27Z

Weaknesses
  • CWE-20

    Improper Input Validation