mediumCVE-2026-56288

GNU patch NULL Pointer Dereference Denial of Service Vulnerability

GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk (single block of changes in diff) data structures, causing the application to pass a NULL pointer to fwrite() during patch processing. An attacker can trigger this condition with a malicious patch file, causing the utility to crash and resulting in a denial of service. This issue has been fixed in the commit e6d6a4e021660679d7fc9150f981d4920f722313

Productpatch
CVSS4.6
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

GNU Project patch should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • GNU patch versions before commit e6d6a4e021660679d7fc9150f981d4920f722313

Fixed versions

  • e6d6a4e021660679d7fc9150f981d4920f722313

How to fix it

GNU patch is affected by CVE-2026-56288. The vulnerable code path can be triggered by a malicious unified diff: malformed EOF newline markers can trigger a NULL pointer dereference and crash. Patch build systems, CI workers, package processors, and any service that accepts patch files from users.

  1. Inventory hosts, containers, CI runners, and developer tooling that execute GNU patch on untrusted or semi-trusted input.
  2. Update GNU patch to include commit e6d6a4e021660679d7fc9150f981d4920f722313 or a downstream package that contains the fix.
  3. Rebuild container images and CI base images that include the vulnerable patch binary.
  4. Reject or sandbox user-supplied patch files until patched binaries are deployed.
  5. Apply CPU and runtime limits around patch processing jobs that must remain exposed.
  6. Review CI logs and worker telemetry for stuck patch processes or crash loops.
  7. Remove old vulnerable toolchain images from registries and runner caches.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm GNU patch includes commit e6d6a4e021660679d7fc9150f981d4920f722313 or a vendor package that references CVE-2026-56288.
  • Run a safe regression test with normal unified diffs and confirm patch behavior still works.
  • Run the known malformed input only in a controlled staging environment and confirm it exits safely.
  • Confirm CI runners use rebuilt base images rather than cached vulnerable images.
  • Run a Fixnx scan and review public upload or code review endpoints that accept diff files.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-56288?

GNU Project patch versions listed as affected should be reviewed: GNU patch versions before commit e6d6a4e021660679d7fc9150f981d4920f722313.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.