Vulnerability Details CVE-2026-58471
GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 12.6%
CVSS Severity
CVSS v3 Score 5.9
Products affected by CVE-2026-58471
-
-
-
cpe:2.3:a:gnu:wget:1.10.1
-
cpe:2.3:a:gnu:wget:1.10.2
-
-
cpe:2.3:a:gnu:wget:1.11.1
-
cpe:2.3:a:gnu:wget:1.11.2
-
cpe:2.3:a:gnu:wget:1.11.3
-
cpe:2.3:a:gnu:wget:1.11.4
-
cpe:2.3:a:gnu:wget:1.11.4-1
-
-
-
cpe:2.3:a:gnu:wget:1.13.1
-
cpe:2.3:a:gnu:wget:1.13.3
-
cpe:2.3:a:gnu:wget:1.13.4
-
-
-
-
cpe:2.3:a:gnu:wget:1.16.1
-
cpe:2.3:a:gnu:wget:1.16.2
-
cpe:2.3:a:gnu:wget:1.16.3
-
-
cpe:2.3:a:gnu:wget:1.17.1
-
-
-
cpe:2.3:a:gnu:wget:1.19.1
-
cpe:2.3:a:gnu:wget:1.19.2
-
cpe:2.3:a:gnu:wget:1.19.3
-
cpe:2.3:a:gnu:wget:1.19.4
-
cpe:2.3:a:gnu:wget:1.19.5
-
-
cpe:2.3:a:gnu:wget:1.20.1
-
-
-
-
-
-
-
-
-
-
-
-
-
-