mediumCVE-2026-58470

CVE-2026-58470 GNU Wget vulnerability

GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.

ProductGNU Wget
CVSS6.9
EPSS0.00247
UpdatedJuly 12, 2026

Quick answer

GNU Wget should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • GNU Wget through 1.25.0

Fixed versions

  • commit 43d3ba9336bc94937e6fae2365c6ffd30c34ffcf

How to fix it

CVE-2026-58470 affects GNU Wget through version 1.25.0 in parse_content_range() in src/http.c. A malicious or compromised server can trigger integer overflow and download-state confusion from malicious Content-Range values, so systems that use Wget in automated fetch, mirroring, build, or deployment jobs should be prioritized. The upstream fix is commit 43d3ba9336bc94937e6fae2365c6ffd30c34ffcf; apply a vendor package that includes that patch, a distro backport, or a locally rebuilt Wget package containing the commit. Until a patched package is deployed, reduce use of affected Wget workflows against untrusted servers, especially resume, ranged HTTP downloads, and automation that talks to untrusted servers.

  1. Inventory GNU Wget installations on servers, containers, CI runners, deployment images, cron jobs, backup scripts, and developer workstations.
  2. Identify Wget versions through package metadata and `wget --version`, and treat versions through 1.25.0 as affected unless the vendor package clearly backports the relevant fix.
  3. Update GNU Wget to a vendor-supported patched package or backport the upstream fix commit 43d3ba9336bc94937e6fae2365c6ffd30c34ffcf.
  4. Reduce exposure to resume, ranged HTTP downloads, and automation that talks to untrusted servers until patched, and avoid using vulnerable Wget against untrusted or user-controlled URLs.
  5. Run high-risk download automation in a restricted container or sandbox with minimal credentials, filesystem access, and outbound reachability.
  6. Review recent download logs, CI artifacts, mirrors, and fetched files for unexpected servers, crafted headers, malformed Metalink data, or abnormal Wget crashes.
  7. Rebuild base images and redeploy automation hosts so patched Wget is used consistently by scripts, package mirrors, and scheduled jobs.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm package changelogs or source history include CVE-2026-58470 or upstream commit 43d3ba9336bc94937e6fae2365c6ffd30c34ffcf.
  • Confirm `wget --version` and package manager output show the patched vendor build on every affected host and container image.
  • Rerun OS package, container, and dependency scans to confirm vulnerable Wget builds are no longer reported.
  • Retest affected download, mirroring, resume, conversion, or Metalink workflows against trusted fixtures and confirm they complete without crashes or unsafe parsing behavior.
  • Document patched package versions, rebuilt images, compensating controls, and scan evidence for change tracking.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-58470?

GNU Wget versions listed as affected should be reviewed: GNU Wget through 1.25.0.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.