{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-56288","assignerOrgId":"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6","state":"PUBLISHED","assignerShortName":"CERT-PL","dateReserved":"2026-06-20T10:58:09.261Z","datePublished":"2026-07-09T09:29:07.947Z","dateUpdated":"2026-07-09T12:57:48.785Z"},"containers":{"cna":{"providerMetadata":{"orgId":"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6","shortName":"CERT-PL","dateUpdated":"2026-07-09T09:29:07.947Z"},"title":"NULL Pointer Dereference in GNU patch","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-476","description":"CWE-476 NULL Pointer Dereference","type":"CWE"}]}],"affected":[{"vendor":"GNU","product":"patch","repo":"https://cgit.git.savannah.gnu.org/cgit/patch.git/","versions":[{"status":"affected","version":"0","lessThanOrEqual":"2.8.0","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk (single block of changes in diff) data structures, causing the application to pass a NULL pointer to fwrite() during patch processing.\nAn attacker can trigger this condition with a malicious patch file, causing the utility to crash and resulting in a denial of service.\n\n\n\nThis issue has been fixed in the commit e6d6a4e021660679d7fc9150f981d4920f722313","supportingMedia":[{"type":"text/html","base64":false,"value":"GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk (single block of changes in diff) data structures, causing the application to pass a NULL pointer to fwrite() during patch processing.<br>An attacker can trigger this condition with a malicious patch file, causing the utility to crash and resulting in a denial of service.<br><br><p>This issue has been fixed in the commit e6d6a4e021660679d7fc9150f981d4920f722313</p>"}]}],"tags":["x_open-source"],"references":[{"url":"https://cert.pl/en/posts/2026/07/CVE-2026-56288","tags":["third-party-advisory"]},{"url":"https://cgit.git.savannah.gnu.org/cgit/patch.git/","tags":["product"]},{"url":"https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=e6d6a4e021660679d7fc9150f981d4920f722313","tags":["patch"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"ACTIVE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"MEDIUM","baseScore":4.6,"vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}}],"credits":[{"lang":"en","value":"Michał Majchrowicz (AFINE Team)","type":"finder"},{"lang":"en","value":"Marcin Wyczechowski (AFINE Team)","type":"finder"}],"source":{"discovery":"EXTERNAL"},"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-07-09T12:57:28.554596Z","id":"CVE-2026-56288","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-07-09T12:57:48.785Z"}}]}}