CVE-2026-56289

EUVD-2026-42557
GNU patch is vulnerable to a denial of service (DoS) due to improper validation of hunk (single block of changes in diff) line offsets in unified-diff input. A specially crafted patch can specify an extremely large line number, causing the application to enter an effectively infinite processing loop while attempting to locate the requested position.
This results in excessive CPU consumption and prevents the process from completing.
An attacker can trigger this behavior by supplying a malicious patch file, causing the utility to become unresponsive and require manual termination.



This issue has been fixed in the commit faba04ef4f2b410257f76c1b9dc85e350929c4b9
Infinite Loop
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
CERT-PLCNA
4.6 MEDIUM
LOCAL
LOW
NONE
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
gnupatch
𝑥
≤ 2.8.0
CNA
Debian logo
Debian Releases
Debian Product
Codename
patch
bookworm
unimportant
bullseye
unimportant
forky
unimportant
sid
unimportant
trixie
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
patch
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
trusty
needs-triage
xenial
needs-triage