{"id":"CVE-2026-5450","summary":"scanf %mc off-by-one heap buffer overflow","details":"Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.","modified":"2026-06-30T16:59:19.396453191Z","published":"2026-04-20T20:55:41.170Z","related":["ALSA-2026:33092","ALSA-2026:33126","ALSA-2026:33226","CGA-m5jw-vxxx-6fc8","SUSE-SU-2026:21682-1","SUSE-SU-2026:21688-1","SUSE-SU-2026:21751-1","SUSE-SU-2026:21807-1","SUSE-SU-2026:2231-1","SUSE-SU-2026:2333-1","SUSE-SU-2026:2440-1","openSUSE-SU-2026:10770-1","openSUSE-SU-2026:20764-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5450.json","cna_assigner":"glibc","cwe_ids":["CWE-122"],"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"2.7"},{"fixed":"*"}]}]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5450.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-5450"},{"type":"REPORT","url":"https://sourceware.org/bugzilla/show_bug.cgi?id=CVE-2026-5450"},{"type":"ARTICLE","url":"https://inbox.sourceware.org/libc-announce/b11f0003-6ec1-4bd6-b9de-9e38a4efeca3@redhat.com/T/#u"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://sourceware.org/git/glibc.git","events":[{"introduced":"ed13ccf1f789aecf1bbdabd4f9f7ff5af085278e"},{"last_affected":"f762ccf84f122d1354f103a151cba8bde797d521"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"2.7"},{"last_affected":"2.43"}],"cpe":"cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*"}}],"versions":["glibc-2.43","glibc-2.42","glibc-2.42.9000","glibc-2.41.9000","glibc-2.41","glibc-2.40","glibc-2.40.9000","glibc-2.39.9000","glibc-2.39","glibc-2.38","glibc-2.38.9000","glibc-2.37","glibc-2.37.9000","glibc-2.36","glibc-2.36.9000","glibc-2.35","glibc-2.35.9000","glibc-2.34","glibc-2.34.9000","glibc-2.33","glibc-2.33.9000","glibc-2.32","glibc-2.32.9000","glibc-2.31","glibc-2.31.9000","changelog-ends-here","glibc-2.30","glibc-2.30.9000","glibc-2.29","glibc-2.29.9000","glibc-2.28","glibc-2.28.9000","glibc-2.27","glibc-2.27.9000","glibc-2.26","glibc-2.26.9000","glibc-2.25","glibc-2.25.90","glibc-2.24","glibc-2.24.90","glibc-2.23","glibc-2.23.90","glibc-2.22","glibc-2.22.90","glibc-2.21","glibc-2.21.90","glibc-2.20","glibc-2.20.90","glibc-2.19","glibc-2.19.90","glibc-2.18","glibc-2.18.90","glibc-2.17","glibc-2.17.90","glibc-2.16.0","glibc-2.16.90","glibc-2.16-ports-merge","glibc-2.16","glibc-2.16-tps","glibc-2.15","glibc-2.14.9000","glibc-2.14","glibc-2.13","glibc-2.12","glibc-2.11","cvs/glibc-2_8-base","cvs/fedora-glibc-20090510T1842","glibc-2.10","cvs/glibc-2_10-base","cvs/glibc-2_10","cvs/fedora-glibc-20090509T2200","cvs/fedora-glibc-20090509T1828","cvs/fedora-glibc-20090427T1419","cvs/fedora-glibc-20090424T1908","cvs/fedora-glibc-20090424T0747","cvs/fedora-glibc-20090416T1610","cvs/fedora-glibc-20090416T0610","cvs/fedora-glibc-20090415T1619","cvs/fedora-glibc-20090414T2104","cvs/fedora-glibc-20090409T1422","cvs/fedora-glibc-20090408T1602","cvs/fedora-glibc-20090407T0657","cvs/fedora-glibc-20090407T0545","cvs/fedora-glibc-20090401T0935","cvs/fedora-glibc-20090320T1944","cvs/fedora-glibc-20090310T1925","cvs/fedora-glibc-20090309T1421","cvs/fedora-glibc-20090218T1534","cvs/fedora-glibc-20090204T2135","cvs/fedora-glibc-20090108T1017","cvs/fedora-glibc-20090108T0952","cvs/fedora-glibc-20090102T2110","cvs/fedora-glibc-20090102T2040","cvs/fedora-glibc-20090102T0809","glibc-2.9","cvs/glibc-2_9-base","cvs/glibc-2_9","cvs/fedora-glibc-20081113T2206","cvs/fedora-glibc-20081112T2008","cvs/fedora-glibc-20081031T2102","cvs/fedora-glibc-20081028T1533","cvs/fedora-glibc-20081019T1815","cvs/fedora-glibc-20080828T1623","cvs/fedora-glibc-20080802T0809","cvs/fedora-glibc-20080728T2320","cvs/fedora-glibc-20080716T0944","cvs/fedora-glibc-20080703T1203","cvs/fedora-glibc-20080613T1601","cvs/fedora-glibc-20080612T1619","cvs/fedora-glibc-20080524T2218","cvs/fedora-glibc-20080520T1924","cvs/fedora-glibc-20080518T1017","cvs/fedora-glibc-20080516T2152","cvs/fedora-glibc-20080515T0735","glibc-2.8","cvs/glibc-2_8","cvs/fedora-glibc-20080412T0741","cvs/fedora-glibc-20080411T1934","cvs/fedora-glibc-20080410T1907","cvs/fedora-glibc-20080408T0706","cvs/fedora-glibc-20080328T1347","cvs/fedora-glibc-20080326T1041","cvs/fedora-glibc-20080314T2159","cvs/fedora-glibc-20080314T1732","cvs/fedora-glibc-20080310T1651","cvs/fedora-glibc-20080305T0857","cvs/fedora-glibc-20080216T1726","cvs/fedora-glibc-20080201T1017","cvs/fedora-glibc-20080131T0821","cvs/fedora-glibc-20080111T0737","cvs/fedora-glibc-20080103T1958","cvs/fedora-glibc-20071227T0908","cvs/fedora-glibc-20071212T1953","cvs/fedora-glibc-20071212T1051","glibc-2.7","cvs/glibc-2_7-base","cvs/glibc-2_7"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-5450.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}