UBUNTU-CVE-2026-56289

Source
https://ubuntu.com/security/CVE-2026-56289
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-56289.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-56289
Upstream
  • CVE-2026-56289
Published
2026-07-09T11:16:00Z
Modified
2026-07-15T19:47:46.492252400Z
Severity
  • 4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L CVSS Calculator
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • Ubuntu - low
Summary
[none]
Details

GNU patch is vulnerable to a denial of service (DoS) due to improper validation of hunk (single block of changes in diff) line offsets in unified-diff input. A specially crafted patch can specify an extremely large line number, causing the application to enter an effectively infinite processing loop while attempting to locate the requested position. This results in excessive CPU consumption and prevents the process from completing. An attacker can trigger this behavior by supplying a malicious patch file, causing the utility to become unresponsive and require manual termination. This issue has been fixed in the commit faba04ef4f2b410257f76c1b9dc85e350929c4b9

References

Affected packages

Ubuntu:16.04:LTS
patch

Package

Name
patch
Purl
pkg:deb/ubuntu/patch?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.7.5-1
2.7.5-1ubuntu0.16.04.1
2.7.5-1ubuntu0.16.04.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "patch",
            "binary_version": "2.7.5-1ubuntu0.16.04.2"
        }
    ],
    "priority_reason": "Only a DoS in a command line tool"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-56289.json"
Ubuntu:18.04:LTS
patch

Package

Name
patch
Purl
pkg:deb/ubuntu/patch?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.7.5-1build1
2.7.6-1
2.7.6-2ubuntu1
2.7.6-2ubuntu1.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "patch",
            "binary_version": "2.7.6-2ubuntu1.1"
        }
    ],
    "priority_reason": "Only a DoS in a command line tool"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-56289.json"
Ubuntu:20.04:LTS
patch

Package

Name
patch
Purl
pkg:deb/ubuntu/patch?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.7.6-6

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "patch",
            "binary_version": "2.7.6-6"
        }
    ],
    "priority_reason": "Only a DoS in a command line tool"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-56289.json"
Ubuntu:22.04:LTS
patch

Package

Name
patch
Purl
pkg:deb/ubuntu/patch?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.7.6-7
2.7.6-7build1
2.7.6-7build2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "patch",
            "binary_version": "2.7.6-7build2"
        }
    ],
    "priority_reason": "Only a DoS in a command line tool"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-56289.json"
Ubuntu:24.04:LTS
patch

Package

Name
patch
Purl
pkg:deb/ubuntu/patch?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.7.6-7build2
2.7.6-7build3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "patch",
            "binary_version": "2.7.6-7build3"
        }
    ],
    "priority_reason": "Only a DoS in a command line tool"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-56289.json"
Ubuntu:25.10
patch

Package

Name
patch
Purl
pkg:deb/ubuntu/patch?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.7.6-7build3
2.8-1
2.8-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "patch",
            "binary_version": "2.8-2"
        }
    ],
    "priority_reason": "Only a DoS in a command line tool"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-56289.json"
Ubuntu:26.04:LTS
patch

Package

Name
patch
Purl
pkg:deb/ubuntu/patch?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.8-2
2.8-2build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "patch",
            "binary_version": "2.8-2build1"
        }
    ],
    "priority_reason": "Only a DoS in a command line tool"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-56289.json"
Ubuntu:Pro:14.04:LTS
patch

Package

Name
patch
Purl
pkg:deb/ubuntu/patch?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.7.1-3
2.7.1-4
2.7.1-4ubuntu1
2.7.1-4ubuntu2
2.7.1-4ubuntu2.3
2.7.1-4ubuntu2.4
2.7.1-4ubuntu2.4+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "patch",
            "binary_version": "2.7.1-4ubuntu2.4+esm1"
        }
    ],
    "priority_reason": "Only a DoS in a command line tool"
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-56289.json"