| CVE ID | CVE-2026-40467 |
| Publication date | 13 July 2026 |
| Vendor | GNU |
| Product | gawk |
| Vulnerable versions | All through 5.4.0 |
| Vulnerability type (CWE) | Use After Free (CWE-416) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-40468 |
| Publication date | 13 July 2026 |
| Vendor | GNU |
| Product | gawk |
| Vulnerable versions | All through 5.4.0 |
| Vulnerability type (CWE) | Integer Overflow or Wraparound (CWE-190) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-40469 |
| Publication date | 13 July 2026 |
| Vendor | GNU |
| Product | gawk |
| Vulnerable versions | All through 5.4.0 |
| Vulnerability type (CWE) | Integer Overflow or Wraparound (CWE-190) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-40553 |
| Publication date | 13 July 2026 |
| Vendor | GNU |
| Product | gawk |
| Vulnerable versions | All through 5.4.0 |
| Vulnerability type (CWE) | Stack-based Buffer Overflow (CWE-121) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in GNU gawk software and participated in coordination of their disclosure.
The vulnerability CVE-2026-40467: Use After Free vulnerability has been found in io.c program file of gawk (do_getline_redir() routine). This issue may lead to a crash.
The vulnerability CVE-2026-40468: Integer overflow vulnerability has been found in builtin.c program file of gawk. This issue may lead to memory exhaustion on the hosting operating system and could be used to overwrite gawk heap metadata and objects with attacker-controlled bytes.
The vulnerability CVE-2026-40469: Integer overflow vulnerability has been found in builtin.c program file of gawk (do_sub() routine). This issue could be used to overwrite gawk heap metadata and objects causing the program to crash. It affects 32-bit builds of gawk.
The vulnerability CVE-2026-40553: Buffer overflow vulnerability has been found in extension/readdir.c program file of gawk (ftype() routine). This issue could be used to crash the program and potentially to achieve code execution, although the latter has not been confirmed to be feasible.
These vulnerabilities were fixed in release 5.4.1 of gawk.
Credits
We thank Michał Majchrowicz and Marcin Wyczechowski (AFINE) for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.