Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3858 articles · 169563 vulns · 37/41 feeds (7d)
← Back to list
6.5
CVE-2026-58012EXPLOITEDPATCHED
the gnome project · glib

Glib: buffer over-read in g_regex_replace() via glib/gregex.c:string_append() and g_utf8_next_char()

Description

A flaw was found in GLib. A buffer over-read can occur in the g_regex_replace function when used with the `G_REGEX_RAW` compile flag and case-change replacement escapes because the string_append function processes matched substrings using UTF-8 functions that assume valid UTF-8 input, even when the string is treated as raw bytes. This vulnerability can cause a minor information disclosure of 1-5 bytes and a denial of service when the buffer over-read crosses a page boundary.

Affected Products

VendorProductVersions
the gnome projectglib0, 0, 2.86.4, 2.88.0

References

  • https://access.redhat.com/security/cve/CVE-2026-58012(vdb-entry, x_refsource_REDHAT)
  • https://bugzilla.redhat.com/show_bug.cgi?id=2492247(issue-tracking, x_refsource_REDHAT)
  • https://gitlab.gnome.org/GNOME/glib/-/issues/3918

Related News (2 articles)

Tier A
Microsoft MSRC3h ago
CVE-2026-58012 Glib: buffer over-read in g_regex_replace() via glib/gregex.c:string_append() and g_utf8_next_char()
→ No new info (linked only)
Tier C
VulDB19h ago
CVE-2026-58012 | GNOME GLib up to 2.86.4/2.88.0 g_regex_replace buffer over-read (ID 3918)
→ No new info (linked only)
CVSS 3.16.5 CRITICAL
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
2.86.52.88.1
CWECWE-126
PublishedJun 30, 2026
Last enriched19h agov2
Tags
CVE-2026-58012
Trending Score70
Source articles2
Independent2
Info Completeness9/14
Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-58011EXP
Glib: out-of-bounds read in glib/gdatetime.c:g_date_time_get_ymd via invalid gdatetime
Trending: 78
HIGHCVE-2026-58016EXP
Glib: integer underflow in gio/gdbusintrospection.c via "g_dbus_node_info_new_for_xml"
Trending: 67
CRITICALCVE-2026-58015EXP
Glib: path traversal in glib/gio/gdbusauthmechanismsha1.c via keyring_lookup_entry and mechanism_client_data_receive
Trending: 60
NONECVE-2026-6324EXP
Libsoup: libsoup: http request smuggling via unsigned to signed conversion error
Trending: 1
NONECVE-2018-25305EXP
librsvg2-bin 2.40.13 Buffer Overflow via Malformed SVG

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jun 30, 2026
Discovered by ZDM
Jun 30, 2026
Actively Exploited
Jun 30, 2026
Patch Available
Jun 30, 2026
Updated: severity, affectedVersions, activelyExploited, tags
Jun 30, 2026

Version History

v2
Last enriched 19h ago
v2Tier C19h ago

Updated severity to CRITICAL, added affected versions 2.86.4 and 2.88.0, and marked the vulnerability as actively exploited.

severityaffectedVersionsactivelyExploitedtags
via VulDB
v121h ago

Initial creation