What is the CVSS score of CVE-2026-5450?

CVE-2026-5450 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of GNU C Library (glibc) are affected by CVE-2026-5450?

CVE-2026-5450 is a critical heap buffer overflow in glibc scanf functions (versions 2.7-2.43) affecting any application that processes untrusted input with specific format specifiers, enabling remote…. A patch is available.

GNU C Library (glibc) CVE-2026-5450

EUVD-2026-23978 CRITICAL

Heap-based Buffer Overflow (CWE-122)

2026-04-20 glibc

GHSA-v898-xg3c-w4rj

Buffer Overflow Heap Overflow Red Hat Suse

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 29, 2026 - 02:30 nvd

Patch available

Re-analysis Queued

Apr 23, 2026 - 15:43 vuln.today

cvss_changed

Analysis Generated

Apr 21, 2026 - 20:24 vuln.today

CVSS changed

Apr 21, 2026 - 20:22 NVD

9.8 (CRITICAL)

EUVD ID Assigned

Apr 20, 2026 - 21:15 euvd

EUVD-2026-23978

Analysis Generated

Apr 20, 2026 - 21:15 vuln.today

CVE Published

Apr 20, 2026 - 20:55 nvd

CRITICAL 9.8

DescriptionNVD

Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.

AnalysisAI

Heap buffer overflow in glibc scanf functions versions 2.7 through 2.43 allows remote unauthenticated attackers to execute arbitrary code by providing malicious input to applications using %mc format specifiers with width >1024. CVSS 9.8 indicates critical network-accessible impact, but EPSS score of 0.02% (5th percentile) suggests minimal real-world exploitation activity at time of analysis. …

RemediationAI

Within 24 hours: Inventory all systems running glibc 2.7-2.43 (run ldd --version or check package managers) and identify internet-facing applications that process user input via scanf-family functions. Within 7 days: Apply glibc security updates to 2.44 or later on all production systems; coordinate patching of dependent applications (check vendor advisories for each service). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory