The following security advisories have been published:
GLIBC-SA-2026-0003: =================== wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. The implementation of WRDE_REUSE in conjunction with WRDE_APPEND fails to clear the we_wordc member of the structure, and as such, when new words are added internally, a leading we_wordc count number of entries are skipped since they are assumed initialized. These skipped entries are not initialized, but are the contents of a realloc-expanded array of pointers. If the caller inspects the we_wordv array, it will dereference invalid pointers and crash. If the caller calls wordfree, the malloc implementation may detect the invalid pointers and abort the process. Calls to wordexp using WRDE_REUSE and WRDE_APPEND have never worked correctly and thus the existence of applications that make use of this feature is unlikely. CVE-Id: CVE-2025-15281 Public-Date: 2026-01-20 Vulnerable-Commit: 8f2ece695d8822e9ecc63ecd157e90bf17a6fe65 (1.93-260) Fix-Commit: 80cc58ea2de214f85b0a1d902a3b668ad2ecb302 (2.43) Reported-by: Vitaly Simonovich Notes: ====== Published advisories are available directly in the project git repository: https://sourceware.org/git/?p=glibc.git;a=tree;f=advisories;hb=HEAD -- Cheers, Carlos.
