CVE-2026-5928
Published: 20 April 2026
Summary
CVE-2026-5928 is a high-severity Buffer Under-read (CWE-127) vulnerability in Gnu Glibc. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, and correction of the specific buffer under-read flaw in glibc's ungetwc function to eliminate the vulnerability causing heap disclosure or crashes.
Mandates vulnerability scanning that would identify CVE-2026-5928 in glibc versions 2.43 and earlier across systems.
Implements memory protection mechanisms like ASLR that mitigate exploitation of the heap buffer under-read from incorrect wide-stream pointer usage, limiting data disclosure impact.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in glibc ungetwc enables remote exploitation of public-facing applications (T1190) and directly causes application crashes for DoS (T1499.004); heap disclosure is possible but rare and not primary impact.
NVD Description
Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an…
more
attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.
Deeper analysisAI
CVE-2026-5928 is a vulnerability in the GNU C Library (glibc) versions 2.43 and earlier, specifically in the implementation of the ungetwc function for wide character streams. When ungetwc is called on a FILE stream using wide characters encoded in a character set with overlaps between single-byte and multi-byte representations, it may attempt to read bytes before an allocated buffer. This stems from a bug in _IO_wdefault_pbackfail within libio/wgenops.c, where ungetwc operates on the regular character buffer (fp->_IO_read_ptr) rather than the wide-stream read pointer (fp->_wide_data->_IO_read_ptr), potentially leading to unintentional disclosure of neighboring heap data or a program crash if the pointer is uninitialized (e.g., NULL).
Remote attackers can exploit this vulnerability with network access, low attack complexity, no privileges, and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and association with CWE-127 (Buffer Under-read). Successful exploitation typically results in a denial of service via program crash, while heap data disclosure requires a rare condition of encoding overlaps that enable spurious matches—such matches are not possible in standard Unicode character sets.
Mitigation details are documented in the Sourceware Bugzilla report at https://sourceware.org/bugzilla/show_bug.cgi?id=33998.
Details
- CWE(s)