GNOME GLib up to 2.88.0 gkeyfile.c g_key_file_get_locale_string_list off-by-one

Summaryinfo

A vulnerability marked as critical has been reported in GNOME GLib up to 2.88.0. This vulnerability affects the function g_key_file_get_locale_string_list of the file gkeyfile.c. The manipulation leads to off-by-one. This vulnerability is documented as CVE-2026-58014. The attack can be initiated remotely. There is not any exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, has been found in GNOME GLib up to 2.88.0. This issue affects the function g_key_file_get_locale_string_list of the file gkeyfile.c. The manipulation with an unknown input leads to a off-by-one vulnerability. Using CWE to declare the problem leads to CWE-193. A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

A flaw was found in GLib. An off-by-one error can occur in the g_key_file_get_locale_string_list function in the gkeyfile.c file when loading a key file with an empty value. This flaw can cause an out-of-bounds access of 1 byte or a denial of service when the out-of-bounds access crosses a page boundary.

The advisory is shared at access.redhat.com. The identification of this vulnerability is CVE-2026-58014 since 06/26/2026. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available.

Upgrading to version 2.88.1 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-40316). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• GNOME

Name

• GLib

Version

• 2.0
• 2.1
• 2.2
• 2.3
• 2.4
• 2.5
• 2.6
• 2.7
• 2.8
• 2.9
• 2.10
• 2.11
• 2.12
• 2.13
• 2.14
• 2.15
• 2.16
• 2.17
• 2.18
• 2.19
• 2.20
• 2.21
• 2.22
• 2.23
• 2.24
• 2.25
• 2.26
• 2.27
• 2.28
• 2.29
• 2.30
• 2.31
• 2.32
• 2.33
• 2.34
• 2.35
• 2.36
• 2.37
• 2.38
• 2.39
• 2.40
• 2.41
• 2.42
• 2.43
• 2.44
• 2.45
• 2.46
• 2.47
• 2.48
• 2.49
• 2.50
• 2.51
• 2.52
• 2.53
• 2.54
• 2.55
• 2.56
• 2.57
• 2.58
• 2.59
• 2.60
• 2.61
• 2.62
• 2.63
• 2.64
• 2.65
• 2.66
• 2.67
• 2.68
• 2.69
• 2.70
• 2.71
• 2.72
• 2.73
• 2.74
• 2.75
• 2.76
• 2.77
• 2.78
• 2.79
• 2.80
• 2.81
• 2.82
• 2.83
• 2.84
• 2.85
• 2.86
• 2.87
• 2.88.0

License

• open-source

Website

• Vendor: https://www.gnome.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion