Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-58015
PUBLISHED
More InfoOfficial Page
Assigner-redhat
Assigner Org ID-53f830b8-0a3f-465b-8143-3b8a9948e749
View Known Exploited Vulnerability (KEV) details
Published At-30 Jun, 2026 | 13:02
Updated At-02 Jul, 2026 | 00:42
Rejected At-
▼CVE Numbering Authority (CNA)
Glib: path traversal in glib/gio/gdbusauthmechanismsha1.c via keyring_lookup_entry and mechanism_client_data_receive

A flaw was found in GLib. The D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism does not validate the cookie_context parameter received from the server. A malicious D-Bus server can supply a cookie_context containing path traversal sequences, causing the client to read an arbitrary file and exfiltrate sensitive data by verifying guessed file contents against a generated hash.

Affected Products
Vendor
The GNOME ProjectGNOME
Product
GLib
Collection URL
https://gitlab.gnome.org/GNOME/glib/
Package Name
GLib
Default Status
unaffected
Versions
Affected
  • From 0 before 2.88.1 (semver)
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 10
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
glib2
CPEs
  • cpe:/o:redhat:enterprise_linux:10
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 10
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
mingw-glib2
CPEs
  • cpe:/o:redhat:enterprise_linux:10
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 6
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
glib2
CPEs
  • cpe:/o:redhat:enterprise_linux:6
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 7
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
glib2
CPEs
  • cpe:/o:redhat:enterprise_linux:7
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 8
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
glib2
CPEs
  • cpe:/o:redhat:enterprise_linux:8
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 8
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
mingw-glib2
CPEs
  • cpe:/o:redhat:enterprise_linux:8
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 9
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
glib2
CPEs
  • cpe:/o:redhat:enterprise_linux:9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 9
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
mingw-glib2
CPEs
  • cpe:/o:redhat:enterprise_linux:9
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Hardened Images
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
glib2
CPEs
  • cpe:/a:redhat:hummingbird:1
Default Status
unaffected
Metrics
VersionBase scoreBase severityVector
3.15.9MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 5.9
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Red Hat severity rating
value:
Moderate
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

To mitigate this vulnerability, ensure that applications only connect to trusted D-Bus servers and operate within secure, isolated networks to prevent man-in-the-middle (MitM) attacks. If feasible, configuring the D-Bus connection to strictly require the EXTERNAL authentication mechanism and disabling DBUS_COOKIE_SHA1 will completely neutralize this issue.

Exploits

Credits

Red Hat would like to thank Thepwnisher for reporting this issue.
Timeline
EventDate
Reported to Red Hat.2026-06-24 17:22:00
Made public.2026-04-08 00:00:00
Event: Reported to Red Hat.
Date: 2026-06-24 17:22:00
Event: Made public.
Date: 2026-04-08 00:00:00
Replaced By

Rejected Reason

References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2026-58015
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2492256
issue-tracking
x_refsource_REDHAT
https://gitlab.gnome.org/GNOME/glib/-/issues/3931
N/A
Hyperlink: https://access.redhat.com/security/cve/CVE-2026-58015
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2492256
Resource:
issue-tracking
x_refsource_REDHAT
Hyperlink: https://gitlab.gnome.org/GNOME/glib/-/issues/3931
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Problem Types
TypeCWE IDDescription
CWECWE-22CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Type: CWE
CWE ID: CWE-22
Description: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Details not found