CVE-2025-13601

high-risk
Published 2025-11-26

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.7/10 High
LOCAL / LOW complexity

Affected Products (20)

Codeready Linux Builder For Ibm Z Systems
Codeready Linux Builder For Power Little Endian
Codeready Linux Builder For X86 64
Enterprise Linux For X86 64
Codeready Linux Builder For Arm64
Codeready Linux Builder For Ibm Z Systems
Codeready Linux Builder For Power Little Endian
Codeready Linux Builder For X86 64
Enterprise Linux For X86 64
Codeready Linux Builder For Arm64
Codeready Linux Builder For Ibm Z Systems
Codeready Linux Builder For Power Little Endian
Codeready Linux Builder For X86 64

Affected Vendors

Redhat Gnome

References (29)

Vendor Advisory https://access.redhat.com/errata/RHSA-2026:0936
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:0975
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:0991
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:1323
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:1324
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:1326
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:1327
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:1465
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:1608
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:1624
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:1625
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:1626
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:1627
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:1652
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:1736
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:2064
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:2072
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:2485
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:2563
Vendor Advisory https://access.redhat.com/errata/RHSA-2026:2633
and 9 more references
54
/ 100
high-risk
Severity 24/34 · High
Exploitability 0/34 · Minimal
Exposure 30/34 · Critical