CVE-2026-0810

HighPublic PoC

Published: 26 January 2026

Published

26 January 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0001 0.3th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0810 is a high-severity Incorrect Calculation of Multi-Byte String Length (CWE-135) vulnerability in Gitoxidelabs Gix-Date. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Local exploitation of the string/UTF-8 invariant violation produces application crashes (DoS via exploitation) and data corruption (stored data manipulation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could…

potentially result in application instability or other unforeseen consequences.

Deeper analysisAI

CVE-2026-0810, published on 2026-01-26, is a vulnerability in the gix-date Rust crate, which is part of the gitoxide project. The flaw resides in the `gix_date::parse::TimeBuf::as_str` function, which can produce strings containing invalid non-UTF8 characters. This violates the internal safety invariants of the TimeBuf component, potentially causing undefined behavior when the malformed strings are processed further. Such behavior could lead to application instability or other unforeseen consequences. The issue carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-135 (incorrect calculation of multi-byte string length) and CWE-682 (incorrect calculation).

Exploitation requires local access, low attack complexity, and low privileges, with no user interaction needed and an unchanged impact scope. A local attacker with basic privileges could trigger the vulnerable function, achieving high impacts on integrity and availability—such as corrupting data or crashing applications that rely on gix-date for date parsing—while confidentiality remains unaffected.

Advisories provide mitigation guidance, including patches for affected versions of gix-date. Security practitioners should consult Red Hat's CVE page (https://access.redhat.com/security/cve/CVE-2026-0810), the related Bugzilla entry (https://bugzilla.redhat.com/show_bug.cgi?id=2427057), the gitoxide GitHub issue (https://github.com/GitoxideLabs/gitoxide/issues/2305), and the RustSec advisory (https://rustsec.org/advisories/RUSTSEC-2025-0140.html) for updated crate versions and remediation steps. The crate page on crates.io (https://crates.io/crates/gix-date) offers details on releases.