From bc76aa16589494458b8430da38d077d399fe8990 Mon Sep 17 00:00:00 2001 From: Adhemerval Zanella Date: Tue, 21 Apr 2026 11:08:27 -0300 Subject: [PATCH] Add advisory text for CVE-2026-6791 Reviewed-by: Carlos O'Donell Reviewed-by: Siddhesh Poyarekar --- advisories/GLIBC-SA-2026-0013 | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 advisories/GLIBC-SA-2026-0013 diff --git a/advisories/GLIBC-SA-2026-0013 b/advisories/GLIBC-SA-2026-0013 new file mode 100644 index 0000000000..085a853434 --- /dev/null +++ b/advisories/GLIBC-SA-2026-0013 @@ -0,0 +1,20 @@ +Potential stack-based buffer clash during tilde expansion in wordexp + +Calling wordexp with a tilde (~) followed by an overly long username +in the GNU C Library version 2.2.3 to 2.43 may lead to a stack buffer +clash. + +When expanding paths that begin with a tilde (~) followed by a username, the +internal parse_tilde function extracts the username to determine the user's +home directory. The implementation allocates memory for this username directly +on the stack using the strndupa macro. Because the size of this allocation +was determined by the length of the user-supplied input without any bounds +checks, passing an excessively long username e.g. thousands of characters, +forces the thread to exhaust its stack space. Thus if an application passes +untrusted, attacker-controlled input to the wordexp function, an attacker +can trigger a stack clash. + +CVE-Id: CVE-2026-6791 +Public-Date: 2026-06-22 +Vulnerable-Commit: 344af000e1d6e9c7882b9bc48e71cb3f1b5fc03c (2.2.3-114) +Reported-by: storm -- 2.47.3