Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector as server controls the trigger; AC:H for specific iconv E2BIG path; UI:R since user must run wget against the malicious server; no confidentiality impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.
AnalysisAI
Heap buffer overflow in GNU Wget through 1.25.0 allows network-positioned attackers to corrupt heap memory by serving a maliciously crafted filename that triggers a flawed iconv E2BIG reallocation path in convert_fname() within src/url.c. The miscalculated remaining-space offset during reallocation writes beyond the allocated heap region, producing a high-availability impact (process crash) and limited integrity exposure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to run GNU Wget version 1.25.0 or earlier compiled with iconv support, and to contact an attacker-controlled server that responds with a filename requiring cross-charset iconv conversion (e.g., a Content-Disposition header containing a filename with multi-byte or non-ASCII characters). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.0 (vector AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N) reflects several important risk-limiting factors: high attack complexity (AC:H) because triggering the E2BIG reallocation path requires precise character set conversion conditions, and passive user interaction (UI:P) because a user or automated process must initiate a wget download against an attacker-controlled endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operates a malicious HTTP server and serves a response with a Content-Disposition filename containing characters sized and encoded to trigger the iconv E2BIG reallocation branch in convert_fname(). When a user or CI/CD pipeline script runs wget against that URL, convert_fname() allocates an output buffer, receives E2BIG from iconv, attempts to reallocate with a miscalculated offset, and overwrites adjacent heap memory - crashing the process or, under favorable heap conditions, achieving limited write primitives. … |
| Remediation | Apply the upstream fix from commit c2640fe5171c59f87c58dc9fcb195b2d18b010ee, available at https://gitlab.com/gnuwget/wget/-/commit/c2640fe5171c59f87c58dc9fcb195b2d18b010ee. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to w
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted F
The http.c:skip_short_body() function is called in some circumstances, such as when processing redirects. Rated high sev
Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow
set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata at
The retr.c:fd_read_body() function is called when processing OK responses. Rated high severity (CVSS 8.8), this vulnerab
GNU Wget before 1.19.5 is prone to a cookie injection vulnerability in the resp_new function in http.c via a \r\n sequen
CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject
Buffer overflow in GNU Wget 1.20.1 and earlier allows remote attackers to cause a denial-of-service (DoS) or may execute
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be inse
Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving
Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sess
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42083
GHSA-vv88-699v-w5rh