CVE-2025-13601
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4Tags
Description
A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.
Analysis
A heap-based buffer overflow vulnerability exists in the glib library's g_escape_uri_string() function due to an integer overflow in buffer size calculation when processing strings with a very large number of characters requiring URI escaping. This vulnerability affects multiple Red Hat Enterprise Linux 9.0 and 10.0 distributions across various architectures (x86_64, ARM64, IBM Z, Power). A proof-of-concept exploit is publicly available, though EPSS scoring indicates only 0.01% exploitation probability (1st percentile), suggesting limited active exploitation in the wild despite the availability of exploit code.
Technical Context
The vulnerability affects glib, a fundamental low-level library providing core application building blocks for GNOME and many Linux applications. The affected products include Red Hat Enterprise Linux 9.0 and 10.0 across multiple architectures (cpe:2.3:o:redhat:enterprise_linux_for_x86_64:9.0, cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0, and related CPE strings for IBM Z Systems and Power architectures), as well as CodeReady Linux Builder variants. The root cause is CWE-190 (Integer Overflow or Wraparound), where the calculation of escaped string length in g_escape_uri_string() can overflow when processing strings containing an excessive number of characters requiring percent-encoding. This integer overflow leads to allocating an insufficiently sized buffer, subsequently causing a heap-based buffer overflow (CWE-122) when the function writes escaped characters beyond the allocated memory boundary.
Affected Products
This vulnerability affects Red Hat Enterprise Linux 9.0 and 10.0 distributions across multiple architectures. Specifically impacted are Red Hat Enterprise Linux for x86_64 (cpe:2.3:o:redhat:enterprise_linux_for_x86_64:9.0), Red Hat Enterprise Linux for ARM 64 (cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0), Red Hat Enterprise Linux for IBM Z Systems (cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x), and Red Hat Enterprise Linux for Power Little Endian (cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0_ppc64le). Additionally, CodeReady Linux Builder variants for these same architectures in version 9.0 and 10.0 are affected. Red Hat has published multiple security advisories available at https://access.redhat.com/errata/ with reference numbers ranging from RHSA-2026:0936 through RHSA-2026:1736.
Remediation
Apply the appropriate Red Hat security update for your specific platform and architecture by consulting the relevant RHSA advisory from the following list: RHSA-2026:0936, RHSA-2026:0975, RHSA-2026:0991, RHSA-2026:1323, RHSA-2026:1324, RHSA-2026:1326, RHSA-2026:1327, RHSA-2026:1465, RHSA-2026:1608, RHSA-2026:1624, RHSA-2026:1625, RHSA-2026:1626, RHSA-2026:1627, RHSA-2026:1652, or RHSA-2026:1736 available at https://access.redhat.com/errata/. These advisories contain patched glib packages that correct the buffer size calculation in g_escape_uri_string(). Organizations should prioritize patching systems where local users have untrusted access or in multi-tenant environments. As the vulnerability requires local access and involves URI string processing, interim mitigation through input validation may be difficult; applying vendor patches is the recommended remediation path.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today