Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2026-56288 and CVE-2026-56289) found in GNU patch software.
Analysis Summary
# Vulnerability: Multiple Denial of Service Flaws in GNU patch
## CVE Details
- **CVE ID:** CVE-2026-56288, CVE-2026-56289
- **CVSS Score:** N/A (Not officially scored in source, but typically categorized as Medium-High for Denial of Service)
- **CWE:**
- CWE-476: NULL Pointer Dereference (CVE-2026-56288)
- CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-2026-56289)
## Affected Systems
- **Products:** GNU patch
- **Versions:** All versions through 2.8.0
- **Configurations:** Systems utilizing `patch` to process `unified-diff` format files.
## Vulnerability Description
GNU patch contains two distinct flaws that can be triggered by processing malicious patch files:
1. **CVE-2026-56288:** This flaw is a NULL pointer dereference. When the utility processes a specially crafted `unified-diff` file, improper handling of consecutive end-of-file newline markers can corrupt internal `hunk` data structures. This leads to a NULL pointer being passed to the `fwrite()` function, resulting in an immediate application crash.
2. **CVE-2026-56289:** This flaw is an infinite loop issue. The utility fails to properly validate `hunk` line offsets. By specifying an extremely large line number in a malicious patch file, an attacker can force the application into an infinite loop as it attempts to locate the position, leading to 100% CPU exhaustion.
## Exploitation
- **Status:** PoC status not explicitly confirmed, but technical details suggest high exploitability via crafted files.
- **Complexity:** Low
- **Attack Vector:** Local (Triggered when a user or automated system processes a malicious patch file).
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Application crash or system resource exhaustion leading to Denial of Service).
## Remediation
### Patches
Maintainers have released fixes in the source repository. Users should update to versions beyond 2.8.0 or apply the following commits:
- **CVE-2026-56288 Fix:** Commit `e6d6a4e021660679d7fc9150f981d4920f722313`
- **CVE-2026-56289 Fix:** Commit `faba04ef4f2b410257f76c1b9dc85e350929c4b9`
### Workarounds
- Avoid processing untrusted or unverified `.patch` or `.diff` files from unknown sources.
- Implement resource limits (e.g., `ulimit`) to prevent a single `patch` process from consuming all CPU or system memory if it enters an infinite loop.
## Detection
- **Indicators of Compromise:** Unusual CPU spikes caused by `patch` processes or frequent segmentation faults (SIGSEGV) when running automated build/patch pipelines.
- **Detection Methods:** Monitor for large line-offset values in incoming unified-diff files and check for unusual newline patterns at the end of diff files.
## References
- **CERT Polska Advisory:** hxxps[://]cert[.]pl/en/posts/2026/07/vulnerabilities-in-gnu-patch-software/
- **CVE-2026-56288:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-56288
- **CVE-2026-56289:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-56289
- **CVD Policy:** hxxps[://]cert[.]pl/en/cvd/