πŸ” CVE Alert

CVE-2026-56288

UNKNOWN 0.0

NULL Pointer Dereference in GNU patch

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk (single block of changes in diff) data structures, causing the application to pass a NULL pointer to fwrite() during patch processing. An attacker can trigger this condition with a malicious patch file, causing the utility to crash and resulting in a denial of service. This issue has been fixed in the commit e6d6a4e021660679d7fc9150f981d4920f722313

CWE CWE-476
Vendor gnu
Product patch
Published Jul 9, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for gnu patch

Be the first to know when new unknown vulnerabilities affecting gnu patch are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

GNU / patch
0 ≀ 2.8.0

References

NVD β†— CVE.org β†— EPSS Data β†—
cert.pl: https://cert.pl/en/posts/2026/07/CVE-2026-56288 cgit.git.savannah.gnu.org: https://cgit.git.savannah.gnu.org/cgit/patch.git/ cgit.git.savannah.gnu.org: https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=e6d6a4e021660679d7fc9150f981d4920f722313

Credits

MichaΕ‚ Majchrowicz (AFINE Team) Marcin Wyczechowski (AFINE Team)