Null Pointer Dereference in GNU Patch (CVE-2026-56288)
CVE-2026-56288 Published on July 9, 2026
NULL Pointer Dereference in GNU patch
GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk (single block of changes in diff) data structures, causing the application to pass a NULL pointer to fwrite() during patch processing.
An attacker can trigger this condition with a malicious patch file, causing the utility to crash and resulting in a denial of service.
This issue has been fixed in the commit e6d6a4e021660679d7fc9150f981d4920f722313
Weakness Type
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.
Products Associated with CVE-2026-56288
Want to know whenever a new CVE is published for GNU Patch? stack.watch will email you.
Affected Versions
GNU patch:- Before and including 2.8.0 is affected.