CVE-2025-14087 PUBLISHED

Glib: glib: buffer underflow in gvariant parser leads to heap corruption

Assigner: redhat
Reserved: 05.12.2025 Published: 10.12.2025 Updated: 06.02.2026

A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Score: 5.6

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	GNOME
Product	glib
Versions	Default: unaffected affected from 0 to 2.86.3 (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 6
Versions	Default: unknown

Vendor	Red Hat
Product	Red Hat Enterprise Linux 7
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9
Versions	Default: affected

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Credits

Red Hat would like to thank Sovereign Tech Resilience program (Sovereign Tech Agency) and treeplus for reporting this issue.

References

Problem Types

Integer Overflow or Wraparound CWE