{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33491", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.971Z", "datePublished": "2026-03-26T18:39:55.093Z", "dateUpdated": "2026-03-27T03:55:39.895Z"}, "containers": {"cna": {"title": "Zen-C has Stack-Based Buffer Overflow in Identifier Mangling", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/zenc-lang/zenc/security/advisories/GHSA-rv74-w6q7-h8xr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zenc-lang/zenc/security/advisories/GHSA-rv74-w6q7-h8xr"}], "affected": [{"vendor": "zenc-lang", "product": "zenc", "versions": [{"version": "< 0.4.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T18:39:55.093Z"}, "descriptions": [{"lang": "en", "value": "Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.4, a stack-based buffer overflow vulnerability in the Zen C compiler allows attackers to cause a compiler crash or potentially execute arbitrary code by providing a specially crafted Zen C source file (`.zc`) with excessively long struct, function, or trait identifiers. Users are advised to update to Zen C version v0.4.4 or later to receive a patch."}], "source": {"advisory": "GHSA-rv74-w6q7-h8xr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-33491"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T03:55:39.895Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33491", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:48:07.603810Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:50:33.517Z"}}], "cna": {"title": "Zen-C has Stack-Based Buffer Overflow in Identifier Mangling", "source": {"advisory": "GHSA-rv74-w6q7-h8xr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "zenc-lang", "product": "zenc", "versions": [{"status": "affected", "version": "< 0.4.4"}]}], "references": [{"url": "https://github.com/zenc-lang/zenc/security/advisories/GHSA-rv74-w6q7-h8xr", "name": "https://github.com/zenc-lang/zenc/security/advisories/GHSA-rv74-w6q7-h8xr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.4, a stack-based buffer overflow vulnerability in the Zen C compiler allows attackers to cause a compiler crash or potentially execute arbitrary code by providing a specially crafted Zen C source file (`.zc`) with excessively long struct, function, or trait identifiers. Users are advised to update to Zen C version v0.4.4 or later to receive a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T18:39:55.093Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33491", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:52:10.550Z", "dateReserved": "2026-03-20T16:16:48.971Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T18:39:55.093Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zenc-lang:zen_c:*:*:*:*:*:*:*:*", "matchCriteriaId": "87358648-AF3A-4D67-86CE-03A43A883BC1", "versionEndExcluding": "0.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.4, a stack-based buffer overflow vulnerability in the Zen C compiler allows attackers to cause a compiler crash or potentially execute arbitrary code by providing a specially crafted Zen C source file (`.zc`) with excessively long struct, function, or trait identifiers. Users are advised to update to Zen C version v0.4.4 or later to receive a patch."}, {"lang": "es", "value": "Zen C es un lenguaje de programaci\u00f3n de sistemas que compila a GNU C/C11 legible por humanos. Antes de la versi\u00f3n 0.4.4, una vulnerabilidad de desbordamiento de b\u00fafer basado en pila en el compilador de Zen C permite a los atacantes causar un fallo del compilador o potencialmente ejecutar c\u00f3digo arbitrario al proporcionar un archivo fuente de Zen C especialmente dise\u00f1ado ('.zc') con identificadores de estructura, funci\u00f3n o rasgo excesivamente largos. Se aconseja a los usuarios actualizar a la versi\u00f3n v0.4.4 de Zen C o posterior para recibir un parche."}], "id": "CVE-2026-33491", "lastModified": "2026-05-01T14:38:20.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T19:17:04.333", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/zenc-lang/zenc/security/advisories/GHSA-rv74-w6q7-h8xr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "zenc", "source": "cna", "vendor": "zenc-lang"}, "product": "zenc", "vendor": "zenc-lang"}], "analysis": {"en": {"generated_at": "2026-04-02T23:09:48.149599+00:00", "value": {"mitigation_remediation": ["Upgrade Zen\u202fC to version\u202f0.4.4 or later.", "Restrict compiler use to trusted developers or build systems.", "Reject or sanitize source files that contain unusually long identifiers.", "Monitor compiler logs for crashes or abnormal behavior."], "summary": {"action": "Patch Now", "impact": "Stack-Based Buffer Overflow potentially enabling code execution"}, "threat_synthesis": {"affected_systems": "The affected product is Zen C, a systems programming language that compiles to GNU C/C11, with the CNAs listing zenc\u2011lang as the vendor. Versions prior to 0.4.4 are vulnerable. Users who compile code with identifiers longer than normal limits are at risk. The change set in the 0.4.4 release hardens the identifier handling to eliminate the overflow.", "description_and_impact": "A stack-based buffer overflow occurs during the Zen C compiler\u2019s identifier mangling when struct, function, or trait names exceed expected lengths. The overflow can corrupt the compiler's stack, leading to a crash or, by exploiting the memory corruption, execution of arbitrary code. The weakness corresponds to the classic stack overflow class of vulnerabilities. The impact is loss of availability through compiler crashes and potential confidentiality, integrity, and availability compromise if code execution is achieved.", "risk_and_exploitability": "The CVSS score of 7.8 denotes high severity. The EPSS score below 1\u202f% and absence from the KEV catalog suggest a low likelihood of current exploitation. The likely attack vector, inferred from the description, is a locally\u2011sourced malicious source file submitted to the compiler; an attacker must have compiler access to supply the crafted identifiers. Because the vulnerability is in the compile phase, privilege escalation depends on the compiler\u2019s runtime privileges. The absence of a publicly documented exploit reduces immediate risk but remediation is advised due to the severity and potential impact if exploited."}}}}, "created": "2026-03-27T08:33:23.017812+00:00", "updated": "2026-04-03T09:38:55.239119+00:00", "vendors": ["zenc-lang", "zenc-lang$PRODUCT$zenc"]}