Description
A flaw was found in GLib. An out-of-bounds read of only 2 bytes can occur in the g_date_time_get_ymd function in the glib/gdatetime.c file when an invalid GDateTime object produced by the g_date_time_add_full function is processed. This flaw can corrupt the date output and potentially cause logic errors that may lead to a denial of service.
Published: 2026-06-30
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out‑of‑bounds memory read of two bytes occurs in the g_date_time_get_ymd function of GLib when an improperly constructed GDateTime object is processed. The read can corrupt the date output, potentially leading to logical errors that may manifest as a denial of service. The weakness is a buffer overread (CWE‑125).

Affected Systems

Red Hat Enterprise Linux releases 6, 7, 8, 9, 10 and Red Hardened Images run GLib within their packages. Any system that includes these distributions is affected, as the vulnerability resides in the core GLib library bundled with the OS.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. EPSS data is not provided, and the vulnerability is not listed in CISA’s KEV catalog. Exploitability is likely local or remote if an application processes user‑supplied date values through g_date_time_add_full; an attacker could supply crafted input to trigger the overread and cause a denial of service.

Generated by OpenCVE AI on June 30, 2026 at 15:52 UTC.

Remediation

Vendor Workaround

To mitigate this vulnerability, in applications processing user-supplied dates, implement input validation to ensure the supplied date is within the supported range before calling g_date_time_add_full() with untrusted data, specifically rejecting inputs that result in a negative or zero days field.


OpenCVE Recommended Actions

  • Apply the Red Hat update that contains the GLib patch for CVE‑2026‑58011.
  • Implement input validation in applications that consume user‑supplied dates to reject values that result in negative or zero day fields before calling g_date_time_add_full.
  • Audit and refactor code paths that use g_date_time_add_full with untrusted data, removing or replacing them when feasible.

Generated by OpenCVE AI on June 30, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in GLib. An out-of-bounds read of only 2 bytes can occur in the g_date_time_get_ymd function in the glib/gdatetime.c file when an invalid GDateTime object produced by the g_date_time_add_full function is processed. This flaw can corrupt the date output and potentially cause logic errors that may lead to a denial of service.
Title Glib: out-of-bounds read in glib/gdatetime.c:g_date_time_get_ymd via invalid gdatetime
First Time appeared Redhat
Redhat enterprise Linux
Redhat hummingbird
Weaknesses CWE-125
CPEs cpe:/a:redhat:hummingbird:1
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat hummingbird
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}


Subscriptions

Redhat Enterprise Linux Hummingbird
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-30T14:28:17.185Z

Reserved: 2026-06-26T20:59:47.855Z

Link: CVE-2026-58011

cve-icon Vulnrichment

Updated: 2026-06-30T13:18:29.941Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:00:15Z

Weaknesses