📦

patch

Vendor: tanium

Login to add this product to WatchStack
Actively Exploited 0 CISA KEV List
PoC / Exploits 0 Code Available
Total RCEs 2 Remote Access
Total CVEs 4 Total Indexed
Avg. EPSS 7.41% Exploit Prob.
Latest CVE CVE-2025-15337 Feb 05

Security Vulnerability Index

Page 1 / 1
6.5 CVSS
CVE-2025-15337

Tanium addressed an incorrect default permissions vulnerability in Patch.

EPSS: 0.01%
4.3 CVSS
CVE-2025-15326

Tanium addressed an improper access controls vulnerability in Patch.

EPSS: 0.01%
5.5 CVSS
CVE-2021-45261

An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

EPSS: 0.15%
5.5 CVSS
CVE-2019-20633

GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952.

EPSS: 0.12%
7.5 CVSS
CVE-2015-1396

A Directory Traversal vulnerability exists in the GNU patch before 2.7.4. A remote attacker can write to arbitrary files via a symlink attack in a patch file. NOTE: this issue exists because of an incomplete fix for CVE-2015-1196.

EPSS: 3.66%
7.8 CVSS
CVE-2018-20969
RCE

do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings beginning with a ! character. NOTE: this is the same commit as for CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to a shell metacharacter.

EPSS: 0.36%
7.8 CVSS
CVE-2019-13638
RCE

GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.

EPSS: 2.05%
5.9 CVSS
CVE-2019-13636

In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.

EPSS: 4.33%
7.8 CVSS
CVE-2018-1000156

GNU Patch version 2.7.6 contains an input validation vulnerability when processing patch files, specifically the EDITOR_PROGRAM invocation (using ed) can result in code execution. This attack appear to be exploitable via a patch file processed via the patch utility. This is similar to FreeBSD's CVE-2015-1418 however although they share a common ancestry the code bases have diverged over time.

EPSS: 36.76%
7.5 CVSS
CVE-2018-6952

A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

EPSS: 11.81%