Skip to main content

GNU patch EUVDEUVD-2026-42557

| CVE-2026-56289 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-07-09 CERT-PL GHSA-3m3r-f94v-4mf8
4.6
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.3 LOW

Local vector (AV:L) and required user interaction (UI:R) because victim must actively run patch against a malicious file; only availability impacted (A:L), no confidentiality or integrity loss.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 12:08 vuln.today

DescriptionCVE.org

GNU patch is vulnerable to a denial of service (DoS) due to improper validation of hunk (single block of changes in diff) line offsets in unified-diff input. A specially crafted patch can specify an extremely large line number, causing the application to enter an effectively infinite processing loop while attempting to locate the requested position. This results in excessive CPU consumption and prevents the process from completing. An attacker can trigger this behavior by supplying a malicious patch file, causing the utility to become unresponsive and require manual termination.

This issue has been fixed in the commit faba04ef4f2b410257f76c1b9dc85e350929c4b9

AnalysisAI

GNU patch enters an infinite CPU-consuming loop when processing a specially crafted unified-diff file containing an excessively large hunk line offset, resulting in a denial of service. The utility becomes unresponsive and must be manually terminated, impacting any pipeline, CI/CD system, or developer workflow that applies untrusted patch files. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft unified diff with extreme hunk line offset
Delivery
Host or deliver malicious patch file to target
Exploit
Victim invokes GNU patch on the file
Execution
Parser enters unbounded line-seek loop
Persist
CPU pegged at 100%, process unresponsive
Impact
Pipeline or session stalls until manual termination

Vulnerability AssessmentAI

Exploitation Active user interaction is required - the victim must explicitly invoke GNU patch and supply the malicious file as input (CVSS UI:A). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.6 accurately reflects the constrained real-world impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker embeds a unified diff with a hunk header specifying a line offset of INT64_MAX or a similarly extreme value and distributes it as a legitimate-looking patch file via a pull request, package repository contribution, or email. A developer or CI/CD job runs GNU patch against the file; the process immediately enters an infinite seek loop, pegs a CPU core at 100%, and the build pipeline stalls until the process is manually killed or a timeout fires. …
Remediation Apply the upstream fix commit faba04ef4f2b410257f76c1b9dc85e350929c4b9 from the GNU patch Savannah repository (cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=faba04ef4f2b410257f76c1b9dc85e350929c4b9). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Patch

View all
CVE-2021-45261 MEDIUM POC
5.5 Dec 22

An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service

CVE-2015-1196 MEDIUM POC
4.3 Jan 21

GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file. Rated medium s

CVE-2015-1395 HIGH
7.5 Aug 25

Directory traversal vulnerability in GNU patch versions which support Git-style patching before 2.7.3 allows remote atta

CVE-2019-13638 HIGH
7.8 Jul 26

GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch fil

CVE-2018-1000156 HIGH
7.8 Apr 06

GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_

CVE-2018-6952 HIGH
7.5 Feb 13

A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6. Rated high severity (CVSS 7.5), t

CVE-2018-6951 HIGH
7.5 Feb 13

An issue was discovered in GNU patch through 2.7.6. Rated high severity (CVSS 7.5), this vulnerability is remotely explo

CVE-2025-15337 MEDIUM
6.5 Feb 05

Tanium addressed an incorrect default permissions vulnerability in Patch. [CVSS 6.5 MEDIUM]

CVE-2019-13636 MEDIUM
5.9 Jul 17

In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. Rated mediu

CVE-2014-9637 MEDIUM
5.5 Aug 25

GNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fa

CVE-2026-56288 MEDIUM
4.6 Jul 09

GNU patch crashes with a NULL pointer dereference when a user applies a specially crafted unified-diff file, resulting i

CVE-2025-15326 MEDIUM
4.3 Feb 05

Tanium addressed an improper access controls vulnerability in Patch. [CVSS 4.3 MEDIUM]

Share

EUVD-2026-42557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy