Description
Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.

A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.
Published: 2026-04-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential data disclosure or program crash due to buffer under-read
Action: Patch Immediately
AI Analysis

Impact

A flaw in the implementation of the wide‑character pushback function _IO_wdefault_pbackfail leads the ungetwc() routine to operate on the regular character buffer instead of the wide‑stream read pointer, resulting in an under‑read of memory preceding the buffer. The under‑read can expose neighboring data on the heap or, if the pointer is null, cause a crash. This weakness is identified as CWE‑125 – Buffer Under‑read and CWE‑127 – Buffer Under‑read.

Affected Systems

The GNU C Library glibc, versions 2.43 and earlier, are affected. Any distribution shipping these versions is vulnerable. Newer releases (2.44 and later) include the fix and are not impacted.

Risk and Exploitability

The EPSS score is <1% and the vulnerability is not listed in CISA KEV. The CVSS score is 7.5, indicating a moderate to high severity; this flaw can be triggered by calling ungetwc on a FILE stream that processes wide characters in an encoding where single‑byte and multi‑byte representations overlap. An attacker would need to supply such input to a vulnerable program, enabling retrieval of memory adjacent to the buffer or causing a crash. The potential impact ranges from unintentional data disclosure to denial of service, warranting prompt remediation.

Generated by OpenCVE AI on April 22, 2026 at 15:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to glibc 2.44 or a later release that contains the fix for the ungetwc under‑read bug.
  • If an upgrade is not immediately possible, modify or remove calls to ungetwc for streams that may use wide characters in encodings with overlapping single‑byte and multi‑byte representations, or ensure the encoding is strictly Unicode so no spurious matches can occur.
  • Continue monitoring vendor advisories and security bulletins for further updates or additional mitigation guidance.

Generated by OpenCVE AI on April 22, 2026 at 15:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Title Static buffer overflow in deprecated nis_local_principal Potential buffer under-read in ungetwc

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Gnu
Gnu glibc
CPEs cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
Vendors & Products Gnu
Gnu glibc

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared The Gnu C Library
The Gnu C Library glibc
Vendors & Products The Gnu C Library
The Gnu C Library glibc

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.
Title Static buffer overflow in deprecated nis_local_principal
Weaknesses CWE-127
References

Subscriptions

Gnu Glibc
The Gnu C Library Glibc
cve-icon MITRE

Status: PUBLISHED

Assigner: glibc

Published:

Updated: 2026-04-30T15:43:07.240Z

Reserved: 2026-04-08T22:47:29.814Z

Link: CVE-2026-5928

cve-icon Vulnrichment

Updated: 2026-04-21T16:10:51.837Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T21:16:36.963

Modified: 2026-04-23T15:33:43.690

Link: CVE-2026-5928

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-20T20:37:31Z

Links: CVE-2026-5928 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:30:20Z

Weaknesses