Skip to main content

GNU libidn EUVDEUVD-2026-38523

| CVE-2026-57053 LOW
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-06-23 mitre GHSA-xpv7-vm32-p7wv
2.5
CVSS 3.1 · NVD

Severity by source

Vendor (mitre) PRIMARY
MEDIUM
qualitative
NVD
2.5 LOW
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable via any application processing untrusted domain names; uninitialized memory reads warrant C:L; no integrity impact from read-only access.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
4.0 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from Vendor (mitre).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jun 29, 2026 - 19:52 NVD
MEDIUM LOW
CVSS changed
Jun 29, 2026 - 19:52 NVD
4.0 (MEDIUM) 2.5 (LOW)
Patch available
Jun 23, 2026 - 19:02 EUVD
Analysis Generated
Jun 23, 2026 - 17:51 vuln.today

DescriptionNVD

GNU libidn before 1.44 is prone to out-of-bounds reads of uninitialized memory in the ToUnicode APIs because of mishandling in idna_to_unicode_internal. The affected code is not present in libidn2.

AnalysisAI

Out-of-bounds reads of uninitialized memory in GNU libidn before version 1.44 are triggerable through the ToUnicode IDNA APIs when malformed internationalized domain name input is processed by the vulnerable function idna_to_unicode_internal. Applications statically or dynamically linked against affected libidn versions that pass attacker-influenced hostname strings to these APIs are exposed to integrity and availability disruption. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malformed Punycode/IDN hostname string
Delivery
Deliver to application linked against libidn < 1.44
Exploit
Application invokes ToUnicode API
Execution
idna_to_unicode_internal fails to validate input quantity
Persist
Out-of-bounds read of uninitialized memory
Impact
Integrity or availability disruption in calling application

Vulnerability AssessmentAI

Exploitation The target environment must have an application linked against GNU libidn (not libidn2) in a version prior to 1.44 that passes attacker-influenced internationalized domain name strings to the ToUnicode API. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 4.0 with vector AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L reflects a constrained risk profile, but several metric choices warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker able to influence the internationalized domain name strings processed by an application using GNU libidn - for example, by sending a crafted DNS response, email header, or URI containing a malformed Punycode label - could cause `idna_to_unicode_internal` to read beyond an allocated buffer into uninitialized memory. This could result in application instability, a crash (availability impact), or exposure of in-process memory contents. …
Remediation The primary remediation is upgrading GNU libidn to version 1.44 or later, which addresses the mishandling in `idna_to_unicode_internal`; upgrade guidance is available through the GNU help-libidn mailing list at https://lists.gnu.org/archive/html/help-libidn/2026-06/msg00001.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise Micro 5.3 Not-Affected

Share

EUVD-2026-38523 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy