CVE-2026-58016
NixOS Análise e mitigação de vulnerabilidades

Visão geral

CVE-2026-58016 is a state confusion vulnerability in GNOME GLib's D-Bus introspection XML parser that causes an unsigned integer underflow and out-of-bounds heap read, resulting in a denial of service. The flaw exists in the g_dbus_node_info_new_for_xml() function within gio/gdbusintrospection.c when processing malformed XML containing a <node> element nested inside <method>, <signal>, <property>, or <arg> elements. It affects GLib versions prior to 2.88.1, as well as Red Hat's glib2 and mingw-glib2 packages across multiple RHEL releases. Disclosed on June 30, 2026, it carries a CVSS v3.1 base score of 7.5 (High) (Github Advisory, Red Hat Bugzilla).

Detalhes técnicos

The root cause is an integer underflow (CWE-191) in the XML parser's state machine. When a <node> element is encountered nested inside elements such as <method>, the nested closing </node> tag resets the shared data->methods (or data->signals/data->properties) array to an empty state. When the outer closing tag subsequently calls parse_data_get_method(data, FALSE), it accesses pdata[len - 1] with len == 0, causing an unsigned integer underflow (0u - 1 = 0xFFFFFFFF) and a massive out-of-bounds heap read at an offset of approximately 0xFFFFFFFF * sizeof(gpointer) (~8 GB before the buffer). The attack vector is network-accessible, requires no authentication or user interaction, and low attack complexity, making it automatable (Red Hat Bugzilla, Github Advisory).

Impacto

Successful exploitation causes the affected service or application using GLib's D-Bus introspection parser to crash, resulting in a denial of service. The impact is limited to availability — there is no confidentiality or integrity impact identified. Because GLib is a foundational library used widely across Linux desktop and server environments (including GNOME, systemd-adjacent services, and many applications), a crash in a D-Bus-consuming service could disrupt system functionality or require service restarts (Github Advisory, Red Hat Bugzilla).

Etapas de exploração

  1. Identify target: Locate a network-accessible service or application that uses GLib's g_dbus_node_info_new_for_xml() to parse D-Bus introspection XML from untrusted input (e.g., a D-Bus service that accepts XML from remote clients).
  2. Craft malformed XML: Construct a D-Bus introspection XML document containing a <node> element improperly nested inside a <method>, <signal>, <property>, or <arg> element, for example:
<node>
  <interface name="com.example.Test">
    <method name="Foo">
      <node/>
    </method>
  </interface>
</node>
  1. Submit the payload: Send the malformed XML to the target service via D-Bus or any API that passes the XML to g_dbus_node_info_new_for_xml().
  2. Trigger the underflow: The parser's state machine resets the internal methods array upon encountering the nested <node>, then attempts to access pdata[0xFFFFFFFF], triggering an out-of-bounds heap read and crashing the process.
  3. Achieve denial of service: The target service crashes, causing a denial of service for any dependent functionality (Red Hat Bugzilla).

Indicadores de compromisso

  • Logs: Application or system logs showing unexpected crashes or segmentation faults in processes that use GLib's D-Bus introspection (e.g., gdbus, GNOME services, or custom D-Bus daemons); journal entries with signals like SIGSEGV or SIGABRT from GLib-linked processes.
  • Process: Repeated restarts of D-Bus services (e.g., via systemd) without clear cause; core dump files generated by GLib-linked applications in /var/lib/systemd/coredump/ or /tmp/.
  • Network: Unusual or malformed D-Bus introspection XML messages arriving at D-Bus endpoints, particularly containing <node> elements nested within <method>, <signal>, <property>, or <arg> elements.

Mitigação e soluções alternativas

Upgrade GLib to version 2.88.1 or later, which addresses this vulnerability. Red Hat users should apply updated glib2 and mingw-glib2 packages via errata when available from Red Hat. As a workaround, restrict D-Bus interface exposure to trusted networks or applications, and validate or sanitize D-Bus introspection XML input before passing it to g_dbus_node_info_new_for_xml() (Github Advisory, Red Hat Bugzilla).

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado NixOS Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2026-14241CRITICAL9.8
  • NixOS logoNixOS
  • cpe:2.3:a:mozilla:firefox
NãoNãoJun 30, 2026
CVE-2026-58016CRITICAL9.1
  • NixOS logoNixOS
  • glib2
NãoSimJun 30, 2026
CVE-2026-58014HIGH8.6
  • NixOS logoNixOS
  • glib2
NãoSimJun 30, 2026
CVE-2026-58015HIGH7.5
  • NixOS logoNixOS
  • glib2-fam
NãoSimJun 30, 2026
CVE-2026-58374HIGH7.1
  • NixOS logoNixOS
  • hostapd
NãoNãoJun 30, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades