{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5450", "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "state": "PUBLISHED", "assignerShortName": "glibc", "dateReserved": "2026-04-02T21:47:21.403Z", "datePublished": "2026-04-20T20:55:41.170Z", "dateUpdated": "2026-04-20T20:55:41.170Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "shortName": "glibc", "dateUpdated": "2026-04-20T20:55:41.170Z"}, "title": "scanf %mc off-by-one heap buffer overflow", "datePublic": "2026-03-19T17:36:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "CWE-122 Heap-based buffer overflow", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "affected": [{"vendor": "The GNU C Library", "product": "glibc", "versions": [{"status": "affected", "version": "2.7", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow."}]}], "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450", "tags": ["issue-tracking"]}, {"url": "https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u", "tags": ["mailing-list"]}], "credits": [{"lang": "en", "value": "Rocket Ma", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow."}], "id": "CVE-2026-5450", "lastModified": "2026-04-20T21:16:36.850", "metrics": {}, "published": "2026-04-20T21:16:36.850", "references": [{"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u"}, {"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"}], "sourceIdentifier": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.7,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "glibc", "source": "cna", "vendor": "The GNU C Library"}, "product": "glibc", "vendor": "the_gnu_c_library"}], "analysis": {"en": {"generated_at": "2026-04-20T23:57:59.590817+00:00", "value": {"mitigation_remediation": ["Upgrade the GNU C Library to a version that fixes the %mc heap overflow (glibc\u202f2.44 or later).", "If an upgrade cannot be applied immediately, modify application code to avoid using the scanf %mc specifier with an explicit width greater than 1024, or replace scanf with safer parsing functions such as strnlen or fgets.", "Enable or verify that memory protection mechanisms such as stack canaries, ASLR, and PIE are in effect on affected binaries to mitigate the impact of any remaining memory corruption."], "summary": {"action": "Patch glibc", "impact": "Heap Buffer Overflow (memory corruption)"}, "threat_synthesis": {"affected_systems": "Systems using the GNU C Library (glibc) versions 2.7 through 2.43 are affected, which covers most Linux distributions and any applications that link against these glibc releases. Users who run binaries built against these library versions, especially those that process untrusted input with scanf and include a %mc specifier, are at risk.", "description_and_impact": "The vulnerability arises when an application calls a scanf family function with the %mc conversion specifier and includes an explicit width larger than 1024. This causes a one\u2011byte overflow on a heap buffer, potentially corrupting adjacent memory. The affected conversion can overwrite adjacent heap objects, leading to undefined behavior that could allow an attacker to corrupt data, trigger a crash, or, with additional conditions, achieve remote code execution. The flaw is characterized as a classic heap buffer overflow (CWE\u2011122).", "risk_and_exploitability": "The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that no widespread exploit activity has been reported thus far. The CVSS score is not provided, so the severity is uncertain; however, because the overflow is off\u2011by\u2011one and limited to a single byte, the exploitation difficulty is moderate, requiring the attacker to supply input that passes through a scanf with a large width. The likely attack vector is a local or remote user passing specially crafted data to a vulnerable process, and the impact could be denial of service or, with sufficient control, privilege escalation or arbitrary code execution."}}}}, "created": "2026-04-20T23:00:12.741832+00:00", "updated": "2026-04-21T00:00:13.350971+00:00", "vendors": ["the_gnu_c_library", "the_gnu_c_library$PRODUCT$glibc"]}