mediumCVE-2026-56289

GNU patch Unified Diff Infinite Loop Denial of Service Vulnerability

GNU patch is vulnerable to a denial of service (DoS) due to improper validation of hunk (single block of changes in diff) line offsets in unified-diff input. A specially crafted patch can specify an extremely large line number, causing the application to enter an effectively infinite processing loop while attempting to locate the requested position. This results in excessive CPU consumption and prevents the process from completing. An attacker can trigger this behavior by supplying a malicious patch file, causing the utility to become unresponsive and require manual termination. This issue has been fixed in the commit faba04ef4f2b410257f76c1b9dc85e350929c4b9

Productpatch
CVSS4.6
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

GNU Project patch should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • GNU patch versions before commit faba04ef4f2b410257f76c1b9dc85e350929c4b9

Fixed versions

  • faba04ef4f2b410257f76c1b9dc85e350929c4b9

How to fix it

GNU patch is affected by CVE-2026-56289. The vulnerable code path can be triggered by a malicious unified diff: crafted unified diff offsets can force patch into an effectively infinite processing loop. Patch build systems, CI workers, package processors, and any service that accepts patch files from users.

  1. Inventory hosts, containers, CI runners, and developer tooling that execute GNU patch on untrusted or semi-trusted input.
  2. Update GNU patch to include commit faba04ef4f2b410257f76c1b9dc85e350929c4b9 or a downstream package that contains the fix.
  3. Rebuild container images and CI base images that include the vulnerable patch binary.
  4. Reject or sandbox user-supplied patch files until patched binaries are deployed.
  5. Apply CPU and runtime limits around patch processing jobs that must remain exposed.
  6. Review CI logs and worker telemetry for stuck patch processes or crash loops.
  7. Remove old vulnerable toolchain images from registries and runner caches.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm GNU patch includes commit faba04ef4f2b410257f76c1b9dc85e350929c4b9 or a vendor package that references CVE-2026-56289.
  • Run a safe regression test with normal unified diffs and confirm patch behavior still works.
  • Run the known malformed input only in a controlled staging environment and confirm it exits safely.
  • Confirm CI runners use rebuilt base images rather than cached vulnerable images.
  • Run a Fixnx scan and review public upload or code review endpoints that accept diff files.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-56289?

GNU Project patch versions listed as affected should be reviewed: GNU patch versions before commit faba04ef4f2b410257f76c1b9dc85e350929c4b9.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.