PatchSiren cyber security CVE debrief
CVE-2026-58471 gnuwget CVE debrief
CVE-2026-58471 is a heap buffer overflow vulnerability in GNU Wget through 1.25.0. The vulnerability exists in the convert_fname() function within src/url.c and allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response. This vulnerability has a CVSS score of 6 and a severity of MEDIUM.
- Vendor
- gnuwget
- Product
- wget
- CVSS
- MEDIUM 6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of GNU Wget versions through 1.25.0 should be aware of this vulnerability and take steps to mitigate it. This includes updating to a version of GNU Wget that includes the fix, such as version 1.25.1 or later. Operators, platform administrators, vulnerability management teams, and security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.
Technical summary
The vulnerability exists in the convert_fname() function within src/url.c of GNU Wget through 1.25.0. A heap buffer overflow occurs when the output buffer is too small during iconv E2BIG reallocation. The reallocation logic miscalculates the remaining space, allowing remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. This can be exploited via a maliciously crafted server response. Users of GNU Wget versions through 1.25.0 should be aware of this vulnerability and take steps to mitigate it.
Defensive priority
Medium
Recommended defensive actions
- Update GNU Wget to version 1.25.1 or later
- Restrict access to GNU Wget to trusted users and networks
- Monitor GNU Wget logs for suspicious activity
- Implement additional security controls, such as input validation and error handling
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-07T21:17:28.710Z and has not been modified since then. The NVD entry is currently Received. There is limited evidence available to confirm affected scope and severity. Defenders should verify the official CVE record and NVD entry for the most up-to-date information. The vulnerability exists in GNU Wget through 1.25.0, specifically in the convert_fname() function within src/url.c. The vulnerability allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T21:17:28.710Z and has not been modified since then.