Add advisory text for CVE-2026-6791

author Adhemerval Zanella <adhemerval.zanella@linaro.org>

Tue, 21 Apr 2026 14:08:27 +0000 (11:08 -0300)

committer Adhemerval Zanella <adhemerval.zanella@linaro.org>

Mon, 22 Jun 2026 17:16:35 +0000 (14:16 -0300)
author Adhemerval Zanella <adhemerval.zanella@linaro.org>
Tue, 21 Apr 2026 14:08:27 +0000 (11:08 -0300)
committer Adhemerval Zanella <adhemerval.zanella@linaro.org>
Mon, 22 Jun 2026 17:16:35 +0000 (14:16 -0300)
diff --git a/advisories/GLIBC-SA-2026-0013 b/advisories/GLIBC-SA-2026-0013

new file mode 100644 (file)

index 0000000..085a853
--- /dev/null
+++ b/advisories/GLIBC-SA-2026-0013
@@ -0,0 +1,20 @@
+Potential stack-based buffer clash during tilde expansion in wordexp
+
+Calling wordexp with a tilde (~) followed by an overly long username
+in the GNU C Library version 2.2.3 to 2.43 may lead to a stack buffer
+clash.
+
+When expanding paths that begin with a tilde (~) followed by a username, the
+internal parse_tilde function extracts the username to determine the user's
+home directory.  The implementation allocates memory for this username directly
+on the stack using the strndupa macro.  Because the size of this allocation
+was determined by the length of the user-supplied input without any bounds
+checks, passing an excessively long username e.g. thousands of characters,
+forces the thread to exhaust its stack space. Thus if an application passes
+untrusted, attacker-controlled input to the wordexp function, an attacker
+can trigger a stack clash.
+
+CVE-Id: CVE-2026-6791
+Public-Date: 2026-06-22
+Vulnerable-Commit: 344af000e1d6e9c7882b9bc48e71cb3f1b5fc03c (2.2.3-114)
+Reported-by: storm
author	Adhemerval Zanella <adhemerval.zanella@linaro.org>
	Tue, 21 Apr 2026 14:08:27 +0000 (11:08 -0300)
committer	Adhemerval Zanella <adhemerval.zanella@linaro.org>
	Mon, 22 Jun 2026 17:16:35 +0000 (14:16 -0300)