CVE-2026-58471
GNU Wget 1.25.0 Heap Buffer Overflow via convert_fname() in url.c
Description
GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.
CVSS Vector Breakdown
AV:NAttack VectorAC:HAttack ComplexityPR:NPrivileges RequiredUI:RUser InteractionS:UScopeC:NConfidentialityI:LIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
1 techniqueReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-58471 and every CVE in our database. Create a free account — no credit card required.
Create Free Account