Cyber Resilience

CVE-2026-5928

HighPublic PoC

Published: 20 April 2026

Published
20 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0007 21.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5928 is a high-severity Buffer Under-read (CWE-127) vulnerability in Gnu Glibc. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5928 is a vulnerability in the GNU C Library (glibc) versions 2.43 and earlier, specifically in the implementation of the ungetwc function for wide character streams. When ungetwc is called on a FILE stream using wide characters encoded in a character set with overlaps between single-byte and multi-byte representations, it may attempt to read bytes before an allocated buffer. This stems from a bug in _IO_wdefault_pbackfail within libio/wgenops.c, where ungetwc operates on the regular character buffer (fp->_IO_read_ptr) rather than the wide-stream read pointer (fp->_wide_data->_IO_read_ptr), potentially leading to unintentional disclosure of neighboring heap data or a program crash if the pointer is uninitialized (e.g., NULL).

Remote attackers can exploit this vulnerability with network access, low attack complexity, no privileges, and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and association with CWE-127 (Buffer Under-read). Successful exploitation typically results in a denial of service via program crash, while heap data disclosure requires a rare condition of encoding overlaps that enable spurious matches—such matches are not possible in standard Unicode character sets.

Mitigation details are documented in the Sourceware Bugzilla report at https://sourceware.org/bugzilla/show_bug.cgi?id=33998.

EU & UK References

Vulnerability details

Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an…

more

attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in glibc ungetwc enables remote exploitation of public-facing applications (T1190) and directly causes application crashes for DoS (T1499.004); heap disclosure is possible but rare and not primary impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4437Same product: Gnu Glibc
CVE-2026-4046Same product: Gnu Glibc
CVE-2026-5450Same product: Gnu Glibc
CVE-2026-5435Same product: Gnu Glibc
CVE-2025-15281Same product: Gnu Glibc
CVE-2026-0915Same product: Gnu Glibc
CVE-2026-0861Same product: Gnu Glibc
CVE-2025-69649Same vendor: Gnu
CVE-2024-10395Shared CWE-127
CVE-2025-69650Same vendor: Gnu

Affected Assets

gnu
glibc
≤ 2.43

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of the specific buffer under-read flaw in glibc's ungetwc function to eliminate the vulnerability causing heap disclosure or crashes.

detect

Mandates vulnerability scanning that would identify CVE-2026-5928 in glibc versions 2.43 and earlier across systems.

prevent

Implements memory protection mechanisms like ASLR that mitigate exploitation of the heap buffer under-read from incorrect wide-stream pointer usage, limiting data disclosure impact.

References