CVE-2026-1489

NameCVE-2026-1489
DescriptionA flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glib2.0 (PTS)bullseye2.66.8-1+deb11u4vulnerable
bullseye (security)2.66.8-1+deb11u7vulnerable
bookworm2.74.6-2+deb12u8vulnerable
bookworm (security)2.74.6-2+deb12u2vulnerable
trixie2.84.4-3~deb13u2vulnerable
forky, sid2.86.3-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glib2.0source(unstable)(unfixed)

Notes

https://gitlab.gnome.org/GNOME/glib/-/issues/3872
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4983
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4984
Search for package or bug name: Reporting problems