highCVE-2026-58469

CVE-2026-58469 GNU Wget vulnerability

GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.

ProductGNU Wget
CVSS8.7
EPSS0.00351
UpdatedJuly 12, 2026

Quick answer

GNU Wget should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • GNU Wget through 1.25.0

Fixed versions

  • commit 37a40fcb450153f69537c7cbc2a7a4fb0b6f7826

How to fix it

CVE-2026-58469 affects GNU Wget through version 1.25.0 in clean_metalink_string() in src/metalink.c. A malicious or compromised server can trigger heap buffer underread from a Metalink document containing a whitespace-only URL, so systems that use Wget in automated fetch, mirroring, build, or deployment jobs should be prioritized. The upstream fix is commit 37a40fcb450153f69537c7cbc2a7a4fb0b6f7826; apply a vendor package that includes that patch, a distro backport, or a locally rebuilt Wget package containing the commit. Until a patched package is deployed, reduce use of affected Wget workflows against untrusted servers, especially Metalink downloads from untrusted or user-selected sources.

  1. Inventory GNU Wget installations on servers, containers, CI runners, deployment images, cron jobs, backup scripts, and developer workstations.
  2. Identify Wget versions through package metadata and `wget --version`, and treat versions through 1.25.0 as affected unless the vendor package clearly backports the relevant fix.
  3. Update GNU Wget to a vendor-supported patched package or backport the upstream fix commit 37a40fcb450153f69537c7cbc2a7a4fb0b6f7826.
  4. Reduce exposure to Metalink downloads from untrusted or user-selected sources until patched, and avoid using vulnerable Wget against untrusted or user-controlled URLs.
  5. Run high-risk download automation in a restricted container or sandbox with minimal credentials, filesystem access, and outbound reachability.
  6. Review recent download logs, CI artifacts, mirrors, and fetched files for unexpected servers, crafted headers, malformed Metalink data, or abnormal Wget crashes.
  7. Rebuild base images and redeploy automation hosts so patched Wget is used consistently by scripts, package mirrors, and scheduled jobs.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm package changelogs or source history include CVE-2026-58469 or upstream commit 37a40fcb450153f69537c7cbc2a7a4fb0b6f7826.
  • Confirm `wget --version` and package manager output show the patched vendor build on every affected host and container image.
  • Rerun OS package, container, and dependency scans to confirm vulnerable Wget builds are no longer reported.
  • Retest affected download, mirroring, resume, conversion, or Metalink workflows against trusted fixtures and confirm they complete without crashes or unsafe parsing behavior.
  • Document patched package versions, rebuilt images, compensating controls, and scan evidence for change tracking.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-58469?

GNU Wget versions listed as affected should be reviewed: GNU Wget through 1.25.0.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.