CVE-2026-56288 in patch
Summary
by MITRE • 07/09/2026
GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk (single block of changes in diff) data structures, causing the application to pass a NULL pointer to fwrite() during patch processing. An attacker can trigger this condition with a malicious patch file, causing the utility to crash and resulting in a denial of service.
This issue has been fixed in the commit e6d6a4e021660679d7fc9150f981d4920f722313
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability in GNU patch represents a critical null pointer dereference flaw that can be exploited to achieve denial of service conditions through carefully crafted input files. This issue manifests when the patch utility processes unified-diff format files containing specific patterns of consecutive end-of-file newline markers. The root cause lies in the improper handling of these edge cases within the internal hunk data structure management system, where the application fails to properly validate or sanitize input sequences before proceeding with patch operations.
The technical implementation of this vulnerability stems from how GNU patch manages memory allocations and data structures during diff processing. When consecutive newline markers are encountered at critical points in the unified-diff format, the internal parsing logic becomes confused about the proper boundaries of hunk data blocks. This confusion leads to incomplete or corrupted hunk metadata structures where pointer references become invalid or null, ultimately causing the application to attempt writing to a NULL file descriptor through the fwrite() system call. The flaw specifically affects the utility's ability to properly track and manage the memory regions allocated for storing patch hunks during processing operations.
From an operational impact perspective, this vulnerability creates significant security concerns for systems relying on GNU patch for automated or manual patch management processes. An attacker with the ability to submit malicious patch files could reliably cause the patch utility to crash, effectively disrupting legitimate patching workflows and potentially creating service interruptions in environments where automated patch application is critical. The denial of service condition can be achieved without requiring elevated privileges, making it particularly dangerous in multi-user systems or automated build environments where patch processing occurs with varying levels of user permissions.
The vulnerability aligns with CWE-476 which specifically addresses null pointer dereference conditions in software implementations. This classification reflects the fundamental programming error where the application fails to check for null return values from memory allocation or data structure initialization functions before attempting to use those references. The ATT&CK framework categorizes this type of vulnerability under T1499.004 which covers network denial of service attacks, as the patched behavior directly enables an attacker to consume system resources through controlled application crashes. The fix implemented in commit e6d6a4e021660679d7fc9150f981d4920f722313 addresses the core issue by strengthening input validation and ensuring proper null checking of internal data structure pointers before attempting file operations.
Mitigation strategies should focus on immediate patch application to address the identified vulnerability in GNU patch versions prior to the fixed commit. System administrators should also implement input validation measures for patch files, particularly when processing external or untrusted sources, including scanning for suspicious patterns of consecutive newlines or other malformed sequences that could trigger similar parsing issues. Additional defensive measures include deploying monitoring systems to detect abnormal patch utility behavior and implementing sandboxed environments for patch processing to limit potential impact from exploitation attempts. Organizations should also consider maintaining updated patch baselines and regularly reviewing third-party software dependencies for similar vulnerabilities in related tools within their security infrastructure.