Description
A flaw was found in GLib. An off-by-one error can occur in the gvs_tuple_is_normal function in the glib/gvariant-serialiser.c file when doing an alignment padding check because the bounds check uses > instead of >=, causing an out-of-bounds read of only 1 byte. This issue can cause a minor information disclosure of 1 byte and a denial of service when the out-of-bounds read crosses a page boundary.
Published: 2026-06-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an off‑by‑one error in the gvs_tuple_is_normal function of GLib’s variant serialiser. The incorrect bounds check allows a single byte read beyond the allocated buffer during alignment padding verification. This out‑of‑bounds read can reveal one byte of memory content (minor information disclosure). If the read crosses a memory page boundary, a fault can trigger a crash, resulting in denial of service. The weakness is a classic buffer over‑read (CWE-126).

Affected Systems

Red Hat Enterprise Linux distributions 6 through 10 and the Hummingbird hardened images, as well as GNOME’s GLib package, are affected because they ship GLib bundles that contain the vulnerable code. The issue is present in GLib versions compiled for these operating systems and specifically impacts the glib/gvariant‑serialiser.c module within the package.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity. The EPSS score is not available, so the current exploitation probability is uncertain; nevertheless, the vulnerability is local or potentially remote depending on how the vulnerable function is exposed. As the flaw can lead to a deliberate memory disclosure and service interruption, it deserves timely mitigation. No patch or workable workaround has been released by Red Hat yet, and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 30, 2026 at 17:05 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.


OpenCVE Recommended Actions

  • Check Red Hat advisories regularly for a GLib update and apply it when released.
  • If no update is available, isolate or restrict processes that use GLib, monitor for crashes or memory disclosure, and restart affected services proactively to mitigate denial‑of‑service risk.
  • Apply any future vendor patches or security updates immediately once they are released.
  • Note that currently no workaround is available.

Generated by OpenCVE AI on June 30, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Gnome
Gnome glib
Redhat hardened Images
Vendors & Products Gnome
Gnome glib
Redhat hardened Images

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in GLib. An off-by-one error can occur in the gvs_tuple_is_normal function in the glib/gvariant-serialiser.c file when doing an alignment padding check because the bounds check uses > instead of >=, causing an out-of-bounds read of only 1 byte. This issue can cause a minor information disclosure of 1 byte and a denial of service when the out-of-bounds read crosses a page boundary.
Title Glib: buffer over-read in glib/gvariant-serialiser.c via gvs_tuple_is_normal()
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Weaknesses CWE-126
CPEs cpe:/a:redhat:hummingbird:1
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}


Subscriptions

Gnome Glib
Redhat Enterprise Linux Hardened Images Hummingbird
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-30T14:28:12.417Z

Reserved: 2026-06-26T20:59:47.855Z

Link: CVE-2026-58010

cve-icon Vulnrichment

Updated: 2026-06-30T14:03:42.815Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:01:41Z

Weaknesses