Skip to main content

GNU gawk CVE-2026-40469

MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-07-13 CERT-PL
5.1
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.0 MEDIUM

Local vector because gawk processes input on the local system; PR:N since any user can invoke gawk with crafted input; impact is crash-only so A:L, C:N, I:N.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 13:17 vuln.today

DescriptionCVE.org

Integer overflow vulnerability has been found in "builtin.c" program file of gawk (do_sub() routine). This issue could be used to overwrite gawk heap metadata and objects causing the program to crash. It affects 32-bit builds of gawk in versions 5.4.0 and below.

AnalysisAI

Integer overflow in gawk's do_sub() routine (builtin.c) enables heap metadata corruption on 32-bit builds, crashing the process. Affecting all gawk versions through 5.4.0 compiled for 32-bit architectures, this flaw was reported by CERT-PL and is limited exclusively to the availability domain - the CVSS 4.0 vector confirms no confidentiality or integrity impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify 32-bit gawk deployment
Delivery
Craft malicious sub()/gsub() input
Exploit
Supply input to vulnerable gawk process
Execution
Trigger integer overflow in do_sub()
Persist
Corrupt heap metadata
Impact
Crash gawk process

Vulnerability AssessmentAI

Exploitation Exploitation requires a 32-bit compiled build of gawk at version 5.4.0 or below - 64-bit builds are architecturally immune regardless of version. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 with vector AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N appropriately reflects a low-severity, availability-only, locally triggered issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker or malicious script supplies specially crafted substitution input to a 32-bit gawk process - for example, piping data into a gawk script that invokes sub() or gsub() - triggering the integer overflow in do_sub(), which corrupts heap metadata and causes gawk to crash. In an automated text-processing pipeline running on a 32-bit Linux system, this could interrupt batch jobs or log-analysis workflows. …
Remediation The primary fix is to apply the upstream patch commit available at https://cgit.git.savannah.gnu.org/cgit/gawk.git/commit/?id=ae1b2d508f46913269a9e62aceda3636afe8147b. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40469 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy