Full Report
CERT Polska has received a report about 4 vulnerabilities (from CVE-2026-40467 to CVE-2026-40469 and CVE-2026-40553) found in GNU gawk software.
Analysis Summary
# Vulnerability: Multiple Flaws in GNU gawk
## CVE Details
- **CVE ID:** CVE-2026-40467, CVE-2026-40468, CVE-2026-40469, CVE-2026-40553
- **CVSS Score:** Not explicitly provided in report (Calculated Severity: Medium to High)
- **CWE:**
- CWE-416 (Use After Free)
- CWE-190 (Integer Overflow or Wraparound)
- CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:** GNU gawk (GNU awk)
- **Versions:** All versions up to and including 5.4.0.
- **Configurations:**
- CVE-2026-40469 specifically affects **32-bit builds** of gawk.
- CVE-2026-40553 involves the `readdir.c` extension.
## Vulnerability Description
Four distinct vulnerabilities were identified within the gawk codebase:
1. **CVE-2026-40467 (Use After Free):** Located in `io.c` within the `do_getline_redir()` routine. Mismanagement of memory during redirection operations can lead to program crashes.
2. **CVE-2026-40468 (Integer Overflow):** Located in `builtin.c`. This flaw can result in system memory exhaustion or allow an attacker to overwrite heap metadata and objects with controlled bytes.
3. **CVE-2026-40469 (Integer Overflow):** Located in `builtin.c` within the `do_sub()` routine. Affects 32-bit systems, allowing heap metadata corruption and program crashes.
4. **CVE-2026-40553 (Stack-based Buffer Overflow):** Located in `extension/readdir.c` within the `ftype()` routine. This flaw can cause a crash and presents a theoretical risk of arbitrary code execution.
## Exploitation
- **Status:** Reported via Coordinated Vulnerability Disclosure (CVD); PoC details are not publicly detailed in the advisory but were confirmed during the reporting process.
- **Complexity:** Medium
- **Attack Vector:** Local (Typically requires the processing of a specially crafted AWK script or malicious input data).
## Impact
- **Confidentiality:** None/Low
- **Integrity:** Medium (Potential for heap/metadata overwrites)
- **Availability:** High (System memory exhaustion and application crashes)
## Remediation
### Patches
- **GNU gawk version 5.4.1** has been released to address all four vulnerabilities. Users are strongly encouraged to upgrade to this version or newer.
### Workarounds
- Limit the execution of untrusted AWK scripts.
- Avoid using the `readdir` extension if not strictly necessary (mitigates CVE-2026-40553).
- On 32-bit systems, monitor gawk processes for unusual memory consumption.
## Detection
- **Indicators of Compromise:** Unexpected `SIGSEGV` (segmentation faults) or `SIGABRT` in environments running automated gawk scripts.
- **Detection Methods:** Static analysis of gawk scripts for suspicious `getline` redirections or complex `sub()` operations intended for 32-bit targets.
## References
- CERT Polska Advisory: [https://cert.pl/en/posts/2026/07/vulnerabilities-in-gnu-gawk/](https://cert.pl/en/posts/2026/07/vulnerabilities-in-gnu-gawk/)
- CVE-2026-40467: [https://www.cve.org/CVERecord?id=CVE-2026-40467](https://www.cve.org/CVERecord?id=CVE-2026-40467)
- CVE-2026-40468: [https://www.cve.org/CVERecord?id=CVE-2026-40468](https://www.cve.org/CVERecord?id=CVE-2026-40468)
- CVE-2026-40469: [https://www.cve.org/CVERecord?id=CVE-2026-40469](https://www.cve.org/CVERecord?id=CVE-2026-40469)
- CVE-2026-40553: [https://www.cve.org/CVERecord?id=CVE-2026-40553](https://www.cve.org/CVERecord?id=CVE-2026-40553)