PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58471 gnuwget CVE debrief

CVE-2026-58471 is a heap buffer overflow vulnerability in GNU Wget through 1.25.0. The vulnerability exists in the convert_fname() function within src/url.c and allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response. This vulnerability has a CVSS score of 6 and a severity of MEDIUM.

Vendor
gnuwget
Product
wget
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-07
Original CVE updated
2026-07-07
Advisory published
2026-07-07
Advisory updated
2026-07-07

Who should care

Users of GNU Wget versions through 1.25.0 should be aware of this vulnerability and take steps to mitigate it. This includes updating to a version of GNU Wget that includes the fix, such as version 1.25.1 or later. Operators, platform administrators, vulnerability management teams, and security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

The vulnerability exists in the convert_fname() function within src/url.c of GNU Wget through 1.25.0. A heap buffer overflow occurs when the output buffer is too small during iconv E2BIG reallocation. The reallocation logic miscalculates the remaining space, allowing remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. This can be exploited via a maliciously crafted server response. Users of GNU Wget versions through 1.25.0 should be aware of this vulnerability and take steps to mitigate it.

Defensive priority

Medium

Recommended defensive actions

  • Update GNU Wget to version 1.25.1 or later
  • Restrict access to GNU Wget to trusted users and networks
  • Monitor GNU Wget logs for suspicious activity
  • Implement additional security controls, such as input validation and error handling
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-07T21:17:28.710Z and has not been modified since then. The NVD entry is currently Received. There is limited evidence available to confirm affected scope and severity. Defenders should verify the official CVE record and NVD entry for the most up-to-date information. The vulnerability exists in GNU Wget through 1.25.0, specifically in the convert_fname() function within src/url.c. The vulnerability allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T21:17:28.710Z and has not been modified since then.