CVE-2026-58471 in wgetinfo

Summary

by MITRE • 07/07/2026

GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability under discussion represents a critical heap buffer overflow flaw in GNU Wget versions prior to 1.25.1, specifically within the convert_fname() function located in src/url.c. This vulnerability stems from improper memory management during character set conversion operations when processing filenames supplied by remote servers. The issue manifests when wget encounters a filename that requires conversion between different character encodings, typically involving the iconv library for transcoding operations.

The technical root cause involves a miscalculation in the reallocation logic that occurs when the iconv function returns an E2BIG error indicating that the output buffer is insufficient for the converted content. During this error handling scenario, the application attempts to resize the output buffer but incorrectly computes the remaining space available for the conversion operation. This mathematical error results in a buffer size that is smaller than required, causing subsequent memory writes to overflow into adjacent heap memory regions.

The operational impact of this vulnerability extends beyond simple memory corruption as it provides remote attackers with a potential pathway for arbitrary code execution or denial of service conditions. Attackers can craft malicious server responses containing specially formatted filenames that trigger the vulnerable conversion path, leading to heap corruption that may be exploited through various attack vectors including memory spraying techniques or by manipulating the corrupted heap metadata.

This vulnerability maps directly to CWE-122 Heap-based Buffer Overflow, which specifically addresses buffer overflows occurring in heap memory regions where insufficient bounds checking allows writes beyond allocated buffer boundaries. The flaw also aligns with ATT&CK technique T1059.007 Command and Scripting Interpreter: Unix Shell, as exploitation may involve command execution through compromised processes, and T1203 Exploitation for Client Execution when the application is used in automated contexts.

The mitigation strategy involves updating to GNU Wget version 1.25.1 or later where the commit c2640fe addresses the miscalculation in buffer reallocation logic. Organizations should also implement network segmentation and monitoring of wget usage patterns to detect potential exploitation attempts. Additionally, security teams should consider deploying heap protection mechanisms such as stack canaries and address space layout randomization to reduce exploit reliability even if the underlying vulnerability remains unpatched.

The broader implications for software security highlight the critical importance of proper buffer management during character encoding operations in network applications. This vulnerability demonstrates how seemingly routine functionality like filename conversion can become a vector for serious security compromises when proper bounds checking and error handling are not implemented. System administrators should conduct thorough vulnerability assessments of all wget installations and ensure timely patch deployment across enterprise environments where this tool is utilized for automated downloads or web scraping operations.

The fix implemented in commit c2640fe specifically addresses the calculation error by correctly determining available buffer space during reallocation attempts, ensuring that subsequent memory operations have sufficient capacity to accommodate the converted output without overflow conditions. This represents a classic example of how mathematical errors in memory management can lead to critical security vulnerabilities requiring careful attention to boundary calculations and resource allocation in security-sensitive applications.

Responsible

VulnCheck

Reservation

06/30/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!