{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5450", "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "state": "PUBLISHED", "assignerShortName": "glibc", "dateReserved": "2026-04-02T21:47:21.403Z", "datePublished": "2026-04-20T20:55:41.170Z", "dateUpdated": "2026-04-21T19:49:53.221Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "shortName": "glibc", "dateUpdated": "2026-04-20T20:55:41.170Z"}, "title": "scanf %mc off-by-one heap buffer overflow", "datePublic": "2026-03-19T17:36:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "CWE-122 Heap-based buffer overflow", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "affected": [{"vendor": "The GNU C Library", "product": "glibc", "versions": [{"status": "affected", "version": "2.7", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow."}]}], "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450", "tags": ["issue-tracking"]}, {"url": "https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u", "tags": ["mailing-list"]}], "credits": [{"lang": "en", "value": "Rocket Ma", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T16:11:50.875542Z", "id": "CVE-2026-5450", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:49:53.221Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5450", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-21T16:11:50.875542Z"}}}], "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T16:04:17.997Z"}}], "cna": {"title": "scanf %mc off-by-one heap buffer overflow", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Rocket Ma"}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "affected": [{"vendor": "The GNU C Library", "product": "glibc", "versions": [{"status": "affected", "version": "2.7", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-19T17:36:00.000Z", "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450", "tags": ["issue-tracking"]}, {"url": "https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u", "tags": ["mailing-list"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.", "supportingMedia": [{"type": "text/html", "value": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122 Heap-based buffer overflow"}]}], "providerMetadata": {"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "shortName": "glibc", "dateUpdated": "2026-04-20T20:55:41.170Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5450", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:49:53.221Z", "dateReserved": "2026-04-02T21:47:21.403Z", "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "datePublished": "2026-04-20T20:55:41.170Z", "assignerShortName": "glibc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow."}], "id": "CVE-2026-5450", "lastModified": "2026-04-21T20:17:04.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T21:16:36.850", "references": [{"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u"}, {"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"}], "sourceIdentifier": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "type": "Secondary"}]}

{"bugzilla": {"description": "glibc: glibc: Heap Buffer Overflow in `scanf` with `%mc` format specifier and large width", "id": "2459853", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459853"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["A flaw was found in glibc (GNU C Library). This vulnerability occurs when an application uses the `scanf` family of functions with a `%mc` format specifier, which is used for dynamically allocating memory for character input, and provides an explicit width greater than 1024. This specific combination can lead to a one-byte heap buffer overflow, potentially allowing an attacker to corrupt memory."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-5450", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "compat-glibc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "compat-glibc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Fix deferred", "package_name": "glibc", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-20T20:55:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5450\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5450\nhttps://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u\nhttps://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.7,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "glibc", "source": "cna", "vendor": "The GNU C Library"}, "product": "glibc", "vendor": "the_gnu_c_library"}], "analysis": {"en": {"generated_at": "2026-04-22T05:53:27.894678+00:00", "value": {"mitigation_remediation": ["Upgrade the GNU C Library to a version that fixes the %mc heap overflow (glibc\u202f2.44 or later).", "If an upgrade cannot be applied immediately, modify application code to avoid using the scanf %mc specifier with an explicit width greater than 1024, or replace scanf with safer parsing functions such as strnlen or fgets.", "Enable or verify that memory protection mechanisms such as stack canaries, ASLR, and PIE are in effect on affected binaries to mitigate the impact of any remaining memory corruption."], "summary": {"action": "Patch glibc", "impact": "Heap Buffer Overflow (memory corruption)"}, "threat_synthesis": {"affected_systems": "Systems using the GNU C Library (glibc) versions 2.7 through 2.43 are affected, which covers most Linux distributions and any applications that link against these glibc releases. Users who run binaries built against these library versions, especially those that process untrusted input with scanf and include a %mc specifier, are at risk.", "description_and_impact": "The vulnerability arises when an application calls a scanf family function with the %mc conversion specifier and includes an explicit width larger than 1024. This causes a one\u2011byte overflow on a heap buffer, potentially corrupting adjacent memory. The affected conversion can overwrite adjacent heap objects, leading to undefined behavior that could allow an attacker to corrupt data, trigger a crash, or, with additional conditions, achieve remote code execution. The flaw is characterized as a classic heap buffer overflow (CWE\u2011122).", "risk_and_exploitability": "The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, indicating that no widespread exploit activity has been reported thus far. The CVSS score of 9.8 indicates high severity, but because the overflow is off\u2011by\u2011one and limited to a single byte, the exploitation difficulty is moderate, requiring the attacker to supply input that passes through a scanf with a large width. The likely attack vector is a local or remote user passing specially crafted data to a vulnerable process, and the impact could be denial of service or, with sufficient control, privilege escalation or arbitrary code execution."}}}}, "created": "2026-04-20T23:00:12.741832+00:00", "updated": "2026-04-22T06:00:09.660020+00:00", "vendors": ["the_gnu_c_library", "the_gnu_c_library$PRODUCT$glibc"]}