CVE-2026-40469 PUBLISHED

Heap buffer overflow in gawk

Assigner: CERT-PL
Reserved: 13.04.2026 Published: 13.07.2026 Updated: 13.07.2026

Integer overflow vulnerability has been found in "builtin.c" program file of gawk (do_sub() routine). This issue could be used to overwrite gawk heap metadata and objects causing the program to crash. It affects 32-bit builds of gawk in versions 5.4.0 and below.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 5.1

Product Status

Vendor GNU
Product gawk
Versions Default: unaffected
  • affected from 0 to 5.4.0 (incl.)

Credits

  • Michał Majchrowicz (AFINE) finder
  • Marcin Wyczechowski (AFINE) finder

References

Problem Types

  • CWE-190 Integer Overflow or Wraparound CWE