{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40489", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.114Z", "datePublished": "2026-04-18T01:24:57.278Z", "dateUpdated": "2026-04-20T16:15:31.570Z"}, "containers": {"cna": {"title": "editorconfig-core-c has incomplete fix for CVE-2023-0341", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-97xg-vrcq-254h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-97xg-vrcq-254h"}, {"name": "https://github.com/editorconfig/editorconfig-core-c/commit/5159be88ad50641d9843289adda791ba300421ff", "tags": ["x_refsource_MISC"], "url": "https://github.com/editorconfig/editorconfig-core-c/commit/5159be88ad50641d9843289adda791ba300421ff"}, {"name": "https://github.com/editorconfig/editorconfig-core-c/releases/tag/v0.12.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/editorconfig/editorconfig-core-c/releases/tag/v0.12.11"}], "affected": [{"vendor": "editorconfig", "product": "editorconfig-core-c", "versions": [{"version": "< 0.12.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T01:24:57.278Z"}, "descriptions": [{"lang": "en", "value": "editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix."}], "source": {"advisory": "GHSA-97xg-vrcq-254h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:10:35.794222Z", "id": "CVE-2026-40489", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:15:31.570Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40489", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T16:10:35.794222Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:10:37.295Z"}}], "cna": {"title": "editorconfig-core-c has incomplete fix for CVE-2023-0341", "source": {"advisory": "GHSA-97xg-vrcq-254h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "editorconfig", "product": "editorconfig-core-c", "versions": [{"status": "affected", "version": "< 0.12.11"}]}], "references": [{"url": "https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-97xg-vrcq-254h", "name": "https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-97xg-vrcq-254h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/editorconfig/editorconfig-core-c/commit/5159be88ad50641d9843289adda791ba300421ff", "name": "https://github.com/editorconfig/editorconfig-core-c/commit/5159be88ad50641d9843289adda791ba300421ff", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/editorconfig/editorconfig-core-c/releases/tag/v0.12.11", "name": "https://github.com/editorconfig/editorconfig-core-c/releases/tag/v0.12.11", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-18T01:24:57.278Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40489", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:15:31.570Z", "dateReserved": "2026-04-13T19:50:42.114Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-18T01:24:57.278Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix."}], "id": "CVE-2026-40489", "lastModified": "2026-04-20T18:59:16.353", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T02:16:11.827", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/editorconfig/editorconfig-core-c/commit/5159be88ad50641d9843289adda791ba300421ff"}, {"source": "security-advisories@github.com", "url": "https://github.com/editorconfig/editorconfig-core-c/releases/tag/v0.12.11"}, {"source": "security-advisories@github.com", "url": "https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-97xg-vrcq-254h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}, {"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.12.11)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "editorconfig-core-c", "source": "cna", "vendor": "editorconfig"}, "product": "editorconfig", "vendor": "editorconfig"}], "analysis": {"en": {"generated_at": "2026-04-18T17:02:45.672205+00:00", "value": {"mitigation_remediation": ["Update libeditorconfig to version 0.12.11 or later to apply the vendor fix.", "If an immediate upgrade is not possible, configure the application or file system to inhibit processing of .editorconfig files from untrusted directories, such as removing those directories from the configuration search path or setting restrictive permissions.", "Monitor logs for abnormal crashes or SIGABRT events; if detected, isolate the affected process or apply sandboxing to limit the impact of any potential overflow."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is editorconfig-core-c, a core library used by plugins and applications that need EditorConfig parsing. All releases up to and including 0.12.10 are vulnerable. The library is referenced by vendor editorconfig:editorconfig-core-c. Software that statically or dynamically links libeditorconfig, such as integrated development environments, code editors, or build tools that support EditorConfig, may be impacted if they use a vulnerable library version. The fix is included in version 0.12.11; upgrading to that or later resolves the issue.", "description_and_impact": "The vulnerability is a stack-based buffer overflow in the ec_glob() function of the editorconfig-core-c library. The function fails to protect the l_pattern[8194] stack buffer, resulting in a stack corruption when a specially crafted directory structure and .editorconfig file are parsed. This flaw can crash any application that links libeditorconfig, provoking a SIGABRT on systems such as Ubuntu 24.04 and leading to a denial of service. Although no arbitrary code execution is reported, the defect is a classic stack-based buffer overflow (CWE-121) and an out-of-bounds write on a stack buffer (CWE-787). The issue is an incomplete fix for CVE-2023-0341 and was addressed in release 0.12.11.", "risk_and_exploitability": "The CVSS score of 8.6 indicates a high severity vulnerability. Based on the description, it is inferred that the attack vector is local or remote if the application processes untrusted configuration files, allowing an attacker to supply a malformed .editorconfig file to trigger the overflow. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. However, the high CVSS and the nature of the stack overflow create a strong risk of denial of service in affected systems that process untrusted configuration data. The attack does not provide arbitrary code execution but can disrupt availability of the affected application."}}}}, "created": "2026-04-18T17:15:05.773041+00:00", "updated": "2026-04-20T14:58:54.155956+00:00", "vendors": ["editorconfig", "editorconfig$PRODUCT$editorconfig"]}