Skip to main content

Patch

13 CVEs product

Monthly

CVE-2026-56289 MEDIUM PATCH This Month

GNU patch enters an infinite CPU-consuming loop when processing a specially crafted unified-diff file containing an excessively large hunk line offset, resulting in a denial of service. The utility becomes unresponsive and must be manually terminated, impacting any pipeline, CI/CD system, or developer workflow that applies untrusted patch files. No public exploit has been identified at time of analysis, and an upstream fix commit has been published by the maintainers on Savannah; a formally tagged release is not yet independently confirmed.

Denial Of Service Patch
NVD VulDB
CVSS 4.0
4.6
EPSS
0.1%
CVE-2026-56288 MEDIUM PATCH This Month

GNU patch crashes with a NULL pointer dereference when a user applies a specially crafted unified-diff file, resulting in denial of service. Improper handling of consecutive end-of-file newline markers corrupts internal hunk data structures, causing a NULL pointer to be passed to fwrite() during processing. No public exploit has been identified at time of analysis and no CISA KEV listing exists; real-world impact is constrained by the requirement for user interaction with a malicious file.

Denial Of Service Null Pointer Dereference Patch
NVD VulDB
CVSS 4.0
4.6
EPSS
0.1%
CVE-2025-15337 MEDIUM This Month

Tanium addressed an incorrect default permissions vulnerability in Patch. [CVSS 6.5 MEDIUM]

Privilege Escalation Patch
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15326 MEDIUM This Month

Tanium addressed an improper access controls vulnerability in Patch. [CVSS 4.3 MEDIUM]

Authentication Bypass Patch
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2021-45261 MEDIUM POC This Month

An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Patch
NVD
CVSS 3.1
5.5
EPSS
0.7%
CVE-2019-13638 HIGH PATCH This Week

GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Patch Debian Linux
NVD GitHub
CVSS 3.0
7.8
EPSS
4.5%
CVE-2019-13636 MEDIUM PATCH This Month

In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Patch
NVD GitHub
CVSS 3.0
5.9
EPSS
3.9%
CVE-2018-1000156 HIGH This Week

GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Patch Ubuntu Linux Debian Linux Enterprise Linux Desktop +5
NVD
CVSS 3.0
7.8
EPSS
5.6%
CVE-2018-6952 HIGH This Week

A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Patch
NVD
CVSS 3.0
7.5
EPSS
8.4%
CVE-2018-6951 HIGH PATCH This Week

An issue was discovered in GNU patch through 2.7.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Denial Of Service Patch Ubuntu Linux
NVD
CVSS 3.0
7.5
EPSS
8.6%
CVE-2015-1395 HIGH PATCH This Week

Directory traversal vulnerability in GNU patch versions which support Git-style patching before 2.7.3 allows remote attackers to write to arbitrary files with the permissions of the target user via a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Fedora Ubuntu Linux Patch
NVD
CVSS 3.0
7.5
EPSS
3.7%
CVE-2014-9637 MEDIUM PATCH This Month

GNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fault) via a crafted diff file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Denial Of Service Fedora Mageia Ubuntu Linux Patch
NVD
CVSS 3.0
5.5
EPSS
0.3%
CVE-2015-1196 MEDIUM POC PATCH This Month

GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Opensuse Solaris Patch
NVD
CVSS 2.0
4.3
EPSS
0.9%
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

GNU patch enters an infinite CPU-consuming loop when processing a specially crafted unified-diff file containing an excessively large hunk line offset, resulting in a denial of service. The utility becomes unresponsive and must be manually terminated, impacting any pipeline, CI/CD system, or developer workflow that applies untrusted patch files. No public exploit has been identified at time of analysis, and an upstream fix commit has been published by the maintainers on Savannah; a formally tagged release is not yet independently confirmed.

Denial Of Service Patch
NVD VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

GNU patch crashes with a NULL pointer dereference when a user applies a specially crafted unified-diff file, resulting in denial of service. Improper handling of consecutive end-of-file newline markers corrupts internal hunk data structures, causing a NULL pointer to be passed to fwrite() during processing. No public exploit has been identified at time of analysis and no CISA KEV listing exists; real-world impact is constrained by the requirement for user interaction with a malicious file.

Denial Of Service Null Pointer Dereference Patch
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Tanium addressed an incorrect default permissions vulnerability in Patch. [CVSS 6.5 MEDIUM]

Privilege Escalation Patch
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Tanium addressed an improper access controls vulnerability in Patch. [CVSS 4.3 MEDIUM]

Authentication Bypass Patch
NVD
EPSS 1% CVSS 5.5
MEDIUM POC This Month

An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Patch
NVD
EPSS 5% CVSS 7.8
HIGH PATCH This Week

GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Patch Debian Linux
NVD GitHub
EPSS 4% CVSS 5.9
MEDIUM PATCH This Month

In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Patch
NVD GitHub
EPSS 6% CVSS 7.8
HIGH This Week

GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Patch Ubuntu Linux +7
NVD
EPSS 8% CVSS 7.5
HIGH This Week

A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Patch
NVD
EPSS 9% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in GNU patch through 2.7.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Denial Of Service Patch +1
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

Directory traversal vulnerability in GNU patch versions which support Git-style patching before 2.7.3 allows remote attackers to write to arbitrary files with the permissions of the target user via a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Fedora Ubuntu Linux +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

GNU patch 2.7.2 and earlier allows remote attackers to cause a denial of service (memory consumption and segmentation fault) via a crafted diff file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Denial Of Service Fedora Mageia +2
NVD
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Opensuse Solaris +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy