PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-13601 Redhat CVE debrief

CVE-2025-13601 is a high-severity heap-based buffer overflow in GLib's g_escape_uri_string() function. The flaw comes from an incorrect buffer-size calculation: when the input contains a very large number of characters that must be escaped, the computed escaped length can overflow and the newly allocated buffer may be written past its end. The risk is most relevant to systems and applications that use the affected GLib code path and can be reached by local input. NVD's record also links the issue to multiple Red Hat and OpenShift product CPEs, and it marks GLib as affected up to, but not including, 2.86.3.

Vendor
Redhat
Product
Unknown
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2025-11-26
Original CVE updated
2026-05-19
Advisory published
2025-11-26
Advisory updated
2026-05-19

Who should care

Platform teams running GLib-based software, especially Red Hat and OpenShift environments listed in the NVD CPE set, and developers or operators who call g_escape_uri_string() on untrusted local input.

Technical summary

The source description and NVD metadata indicate a heap-based buffer overflow triggered by an integer overflow in the escaped-length calculation inside g_escape_uri_string(). The weakness is mapped to CWE-190. NVD rates the issue 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), which means the attacker needs local access but no privileges or user interaction. The NVD CPE data marks GNOME GLib vulnerable through versions before 2.86.3 and includes many Red Hat platform/product entries, so the practical remediation focus should be on package/version inventory and vendor errata application.

Defensive priority

High. The issue has a high CVSS score, affects a widely used foundational library, and can produce memory corruption with integrity and availability impact even though exploitation requires local access.

Recommended defensive actions

  • Upgrade GLib to a fixed release; NVD's CPE data marks GLib vulnerable up to, but not including, 2.86.3.
  • Apply the relevant Red Hat advisories for any affected RHEL/OpenShift products listed in the NVD record.
  • Inventory applications, libraries, and containers that bundle or depend on GLib, and prioritize systems where local attackers can supply large escaping workloads.
  • Rebuild and redeploy images or packages after updating GLib, then verify the installed version on target hosts.
  • Monitor for crashes or abnormal termination in processes that rely on GLib URI escaping as a compensating detection measure.

Evidence notes

The public description from the source corpus states that the bug is a heap-based buffer overflow in g_escape_uri_string() caused by an incorrect buffer-size calculation that can overflow when many characters require escaping. NVD metadata maps the weakness to CWE-190, provides the CVSS vector AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, and lists GNOME GLib as vulnerable through version 2.86.3 (exclusive). The NVD reference set also includes multiple Red Hat vendor advisories plus GNOME issue-tracker and merge-request references in the source metadata.

Official resources

CVE published on 2025-11-26 and modified on 2026-05-19. The later modified date reflects record updates and added references; use the published date for initial disclosure timing.