GNU 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk memory corruption、パス処理の欠陥、vendor risk input validation, and vendor risk cross-site scripting があり、vendor surface production workloads の利用場面で ファイル上書き、vendor impact unexpected behavior, and vendor impact session compromise などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-0861 | Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment | 3ff69d7a-14f2-4f67-a097-88dee7810d18 | 8.4 | 0.35% | 2026-01-14 | 2026-06-17 |
| CVE-2025-69195 | A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. A remote attacker can exploit this by providing a specially crafted URL, which, upon user interaction with wget2, can lead to memory corruption. This can cause the application to crash and potentially allow for further malicious activities. | [email protected] | 7.6 | 0.29% | 2026-01-09 | 2026-06-17 |
| CVE-2025-69194 | A security issue was discovered in GNU Wget2 when handling Metalink documents. The application fails to properly validate file paths provided in Metalink <file name> elements. An attacker can abuse this behavior to write files to unintended locations on the system. This can lead to data loss or potentially allow further compromise of the user’s environment. | [email protected] | 8.8 | 0.71% | 2026-01-09 | 2026-06-17 |
| CVE-2025-13151 | Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. | [email protected] | 7.5 | 1.11% | 2026-01-07 | 2026-06-17 |
| CVE-2025-65409 | A divide-by-zero in the encryption/decryption routines of GNU Recutils v1.9 allows attackers to cause a Denial of Service (DoS) via inputting an empty value as a password. | [email protected] | 7.5 | 0.32% | 2025-12-30 | 2026-06-17 |
| CVE-2025-66866 | An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | [email protected] | 7.5 | 0.28% | 2025-12-29 | 2026-06-17 |
| CVE-2025-66865 | An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | [email protected] | 7.5 | 0.32% | 2025-12-29 | 2026-06-17 |
| CVE-2025-66864 | An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | [email protected] | 7.5 | 0.20% | 2025-12-29 | 2026-06-17 |
| CVE-2025-66863 | An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | [email protected] | 7.5 | 0.32% | 2025-12-29 | 2026-06-17 |
| CVE-2025-66862 | A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file. | [email protected] | 7.5 | 0.32% | 2025-12-29 | 2026-06-17 |
| CVE-2025-66861 | An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file. | [email protected] | 2.5 | 0.12% | 2025-12-29 | 2026-06-17 |
| CVE-2025-61662 | A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality com | [email protected] | 7.8 | 0.19% | 2025-11-18 | 2026-06-17 |
| CVE-2025-62689 | NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition. | [email protected] | 8.7 | 0.37% | 2025-11-10 | 2026-06-17 |
| CVE-2025-59777 | NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service (DoS) condition. | [email protected] | 8.7 | 0.37% | 2025-11-10 | 2026-06-17 |
| CVE-2025-11840 | A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue. | [email protected] | 1.9 | 0.25% | 2025-10-16 | 2026-06-17 |
| CVE-2025-11839 | A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. | [email protected] | 1.9 | 0.25% | 2025-10-16 | 2026-06-17 |
| CVE-2025-11495 | A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch. | [email protected] | 1.9 | 0.21% | 2025-10-08 | 2026-06-17 |
| CVE-2025-11494 | A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue. | [email protected] | 1.9 | 0.19% | 2025-10-08 | 2026-06-17 |
| CVE-2025-11414 | A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component. | [email protected] | 1.9 | 0.18% | 2025-10-07 | 2026-06-17 |
| CVE-2025-11413 | A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised. | [email protected] | 1.9 | 0.20% | 2025-10-07 | 2026-06-17 |