Skip to main content

GNU Wget CVE-2026-58471

| EUVDEUVD-2026-42083 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-07-07 VulnCheck GHSA-vv88-699v-w5rh
6.0
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Network vector as server controls the trigger; AC:H for specific iconv E2BIG path; UI:R since user must run wget against the malicious server; no confidentiality impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 20:57 vuln.today

DescriptionCVE.org

GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.

AnalysisAI

Heap buffer overflow in GNU Wget through 1.25.0 allows network-positioned attackers to corrupt heap memory by serving a maliciously crafted filename that triggers a flawed iconv E2BIG reallocation path in convert_fname() within src/url.c. The miscalculated remaining-space offset during reallocation writes beyond the allocated heap region, producing a high-availability impact (process crash) and limited integrity exposure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker hosts malicious HTTP server
Delivery
Craft Content-Disposition filename triggering iconv E2BIG
Exploit
User or script runs wget against attacker URL
Execution
convert_fname() enters reallocation branch
Persist
Miscalculated offset causes heap write-past-end
Impact
Process crash or limited heap corruption

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to run GNU Wget version 1.25.0 or earlier compiled with iconv support, and to contact an attacker-controlled server that responds with a filename requiring cross-charset iconv conversion (e.g., a Content-Disposition header containing a filename with multi-byte or non-ASCII characters). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.0 (vector AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N) reflects several important risk-limiting factors: high attack complexity (AC:H) because triggering the E2BIG reallocation path requires precise character set conversion conditions, and passive user interaction (UI:P) because a user or automated process must initiate a wget download against an attacker-controlled endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operates a malicious HTTP server and serves a response with a Content-Disposition filename containing characters sized and encoded to trigger the iconv E2BIG reallocation branch in convert_fname(). When a user or CI/CD pipeline script runs wget against that URL, convert_fname() allocates an output buffer, receives E2BIG from iconv, attempts to reallocate with a miscalculated offset, and overwrites adjacent heap memory - crashing the process or, under favorable heap conditions, achieving limited write primitives. …
Remediation Apply the upstream fix from commit c2640fe5171c59f87c58dc9fcb195b2d18b010ee, available at https://gitlab.com/gnuwget/wget/-/commit/c2640fe5171c59f87c58dc9fcb195b2d18b010ee. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Wget

View all
CVE-2014-4877 CRITICAL POC
9.3 Oct 29

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to w

CVE-2016-4971 HIGH POC
8.8 Jun 30

GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted F

CVE-2017-13089 HIGH
8.8 Oct 27

The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. Rated high sev

CVE-2016-7098 HIGH POC
8.1 Sep 26

Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow

CVE-2018-20483 HIGH POC
7.8 Dec 26

set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata at

CVE-2017-13090 HIGH
8.8 Oct 27

The retr.c:fd_read_body() function is called when processing OK responses. Rated high severity (CVSS 8.8), this vulnerab

CVE-2018-0494 MEDIUM POC
6.5 May 06

GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequen

CVE-2017-6508 MEDIUM POC
6.1 Mar 07

CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject

CVE-2019-5953 CRITICAL
9.8 May 17

Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute

CVE-2024-38428 CRITICAL
9.1 Jun 16

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be inse

CVE-2026-58469 HIGH
8.7 Jul 07

Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving

CVE-2026-58470 MEDIUM
6.9 Jul 07

Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sess

Share

CVE-2026-58471 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy