Dear GNU Coreutils Security Team,
We have identified a **Format String + Stack Buffer Overflow** vulnerability in
**coreutils-printf**.
**CWE-121** | **CVSS 9.8 (Critical)** | **Remote Code Execution**
### Description
User-controlled input reaches a dangerous sink without sanitization, enabling
memory corruption and arbitrary code execution.
Confirmed via AddressSanitizer: `ERROR: AddressSanitizer:
stack-buffer-overflow`.
### Affected Location
| | |
|---|---|
| **File** | `src/printf.c` |
| **Line** | `511` |
| **Function** | `print_formatted()` |
| **Source** | `argv[optind]` |
| **Sink** | `printf(spec, argv[i])` |
| **Impact** | Remote Code Execution |
### Vulnerable Code
**src/printf.c** (line 511)
in function `print_formatted()`
```c
// Vulnerable pattern — CWE-121
// Source: argv[optind]
printf(spec, argv[i]); // <-- CWE-134: user input used as format string
char buf[32];
sprintf(buf, "%s", argv[optind]); // <-- CWE-121: unbounded copy into fixed
buffer
```
### Recommended Fix
- In `src/printf.c` function `print_formatted()`: replace `printf(spec,
argv[i])` with `printf("%s", ...)` — never pass user input as format string.
- In `src/printf.c` function `print_formatted()`: replace `sprintf(buf, ...)`
with `snprintf(buf, sizeof(buf), ...)` — bound all copies to buffer size.
- Add `-Wformat -Wformat-security -Werror=format-security` to CFLAGS.
- Enable ASAN in CI builds: `-fsanitize=address,undefined` to catch regressions.
- Compile with `-fstack-protector-strong -D_FORTIFY_SOURCE=2`.
### Disclosure
- **Discovered:** 2026-04-10
Regards
Arjun Basnet
Securin Labs
