Skip to main content

Gawk

5 CVEs product

Monthly

CVE-2026-40553 MEDIUM PATCH This Month

Stack-based buffer overflow in gawk's readdir extension (extension/readdir.c, ftype() routine) affects all gawk releases through version 5.4.0, enabling a local attacker to crash the process and theoretically achieve code execution. The RCE angle is explicitly unconfirmed by the reporter (CERT-PL), making denial-of-service the primary demonstrated impact at this time. No public exploit identified at time of analysis; an upstream source-level patch commit is available on GNU Savannah.

Stack Overflow RCE Buffer Overflow Gawk
NVD VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-40469 MEDIUM PATCH This Month

Integer overflow in gawk's do_sub() routine (builtin.c) enables heap metadata corruption on 32-bit builds, crashing the process. Affecting all gawk versions through 5.4.0 compiled for 32-bit architectures, this flaw was reported by CERT-PL and is limited exclusively to the availability domain - the CVSS 4.0 vector confirms no confidentiality or integrity impact. No public exploit code or active exploitation has been identified at time of analysis, and a patch commit is available upstream.

Denial Of Service Integer Overflow Gawk
NVD VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-40468 LOW PATCH Monitor

Integer overflow in GNU gawk's builtin.c (versions 5.4.0 and below) enables heap metadata corruption and memory exhaustion when gawk processes attacker-crafted input. The flaw stems from a CWE-190 integer wraparound condition that can be triggered locally to overwrite heap objects with attacker-controlled bytes, potentially escalating from a denial-of-service to memory corruption with partial integrity impact. No public exploit identified at time of analysis, and CERT-PL reported this with a low CVSS 4.0 base score of 2.1, reflecting a limited, local attack surface with specific attack prerequisites.

Integer Overflow Buffer Overflow Gawk
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-40467 MEDIUM PATCH This Month

Use-after-free memory corruption in gawk's do_getline_redir() routine within io.c allows a local attacker to crash the gawk process, causing a denial of service. All gawk versions 5.4.0 and below are affected, as confirmed by CERT-PL and an upstream patch commit. No active exploitation has been identified (not in CISA KEV), and the impact is confined to availability - no confidentiality or integrity effects have been demonstrated.

Denial Of Service Use After Free Memory Corruption Gawk
NVD VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2023-4156 HIGH POC This Week

A heap out-of-bounds read flaw was found in builtin.c in the gawk package. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Gawk Enterprise Linux Fedora
NVD
CVSS 3.1
7.1
EPSS
0.4%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stack-based buffer overflow in gawk's readdir extension (extension/readdir.c, ftype() routine) affects all gawk releases through version 5.4.0, enabling a local attacker to crash the process and theoretically achieve code execution. The RCE angle is explicitly unconfirmed by the reporter (CERT-PL), making denial-of-service the primary demonstrated impact at this time. No public exploit identified at time of analysis; an upstream source-level patch commit is available on GNU Savannah.

Stack Overflow RCE Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Integer overflow in gawk's do_sub() routine (builtin.c) enables heap metadata corruption on 32-bit builds, crashing the process. Affecting all gawk versions through 5.4.0 compiled for 32-bit architectures, this flaw was reported by CERT-PL and is limited exclusively to the availability domain - the CVSS 4.0 vector confirms no confidentiality or integrity impact. No public exploit code or active exploitation has been identified at time of analysis, and a patch commit is available upstream.

Denial Of Service Integer Overflow Gawk
NVD VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Integer overflow in GNU gawk's builtin.c (versions 5.4.0 and below) enables heap metadata corruption and memory exhaustion when gawk processes attacker-crafted input. The flaw stems from a CWE-190 integer wraparound condition that can be triggered locally to overwrite heap objects with attacker-controlled bytes, potentially escalating from a denial-of-service to memory corruption with partial integrity impact. No public exploit identified at time of analysis, and CERT-PL reported this with a low CVSS 4.0 base score of 2.1, reflecting a limited, local attack surface with specific attack prerequisites.

Integer Overflow Buffer Overflow Gawk
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Use-after-free memory corruption in gawk's do_getline_redir() routine within io.c allows a local attacker to crash the gawk process, causing a denial of service. All gawk versions 5.4.0 and below are affected, as confirmed by CERT-PL and an upstream patch commit. No active exploitation has been identified (not in CISA KEV), and the impact is confined to availability - no confidentiality or integrity effects have been demonstrated.

Denial Of Service Use After Free Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH POC This Week

A heap out-of-bounds read flaw was found in builtin.c in the gawk package. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Information Disclosure Gawk +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy