Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Untrusted GVariant/D-Bus input is remotely reachable without auth or interaction (AV:N/AC:L/PR:N/UI:N); one-byte over-read gives C:L, no integrity impact, and a page-boundary crash yields A:H.
Primary rating from Vendor (redhat).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Lifecycle Timeline
7DescriptionNVD
A flaw was found in GLib. An off-by-one error can occur in the gvs_tuple_is_normal function in the glib/gvariant-serialiser.c file when doing an alignment padding check because the bounds check uses > instead of >=, causing an out-of-bounds read of only 1 byte. This issue can cause a minor information disclosure of 1 byte and a denial of service when the out-of-bounds read crosses a page boundary.
AnalysisAI
Out-of-bounds read in GNOME GLib's GVariant serialiser allows remote attackers to leak a single byte of adjacent memory and to crash applications that deserialise untrusted GVariant data. The flaw sits in gvs_tuple_is_normal() in glib/gvariant-serialiser.c, where an alignment-padding bounds check uses '>' instead of '>=', reading one byte past the buffer; when that byte falls across a page boundary the process faults, producing a denial of service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a vulnerable GLib version (below 2.88.1 / 2.86.5) deserialises attacker-controlled GVariant data - most realistically via a D-Bus service, GSettings input, or any application that parses externally-sourced GVariant tuples through gvs_tuple_is_normal(). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderate and partially conflicting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a crafted GVariant-serialised message (for example over a D-Bus interface or another IPC path that deserialises untrusted GVariant data) whose tuple padding is sized to trigger the off-by-one read in gvs_tuple_is_normal(). The over-read leaks one adjacent byte back to the attacker or, if the byte lies on an unmapped page, crashes the consuming process, denying service. … |
| Remediation | Vendor-released patch: upgrade GLib to 2.88.1 (or 2.86.5 on the 2.86 maintenance branch) or later, per the ENISA EUVD fixed-version data; on Red Hat Enterprise Linux apply the distribution glib2 update tracked at https://access.redhat.com/security/cve/CVE-2026-58010 and Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2492243, with upstream detail at https://gitlab.gnome.org/GNOME/glib/-/issues/3915. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory GLib versions across all Linux systems and identify business-critical applications dependent on affected versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Enterprise Linux
View allSudo before 1.9.17p1 contains a local root escalation vulnerability (CVE-2025-32463, CVSS 9.3) through the --chroot opti
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), t
A heap-based buffer overflow flaw was found in the rsync daemon. Rated critical severity (CVSS 9.8), this vulnerability
Stack-based buffer overflow in libxml2's xmlBuildQName function allows remote unauthenticated attackers to crash affecte
Server-to-client path traversal in rsync lets a malicious or compromised rsync server write files outside the client's i
A vulnerability was found in GnuTLS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no auth
A flaw was found in xfig. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit co
CVE-2025-5914 is an integer overflow vulnerability in libarchive's archive_read_format_rar_seek_data() function that lea
A flaw was found in Yelp. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication
A flaw was found in libsoup. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authenticati
A flaw was found in rsync. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authenticati
Same weakness CWE-126 – Buffer Over-read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40312
GHSA-m7rp-473c-296x