{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-42371", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-27T05:50:35.801Z", "datePublished": "2026-04-27T05:50:36.185Z", "dateUpdated": "2026-04-27T14:41:22.410Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "uriparser", "vendor": "uriparser", "versions": [{"lessThan": "1.0.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-197", "description": "CWE-197 Numeric Truncation Error", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-27T06:07:08.588Z"}, "references": [{"url": "https://github.com/uriparser/uriparser/pull/298"}, {"url": "https://uriparser.github.io"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T11:07:03.859190Z", "id": "CVE-2026-42371", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T11:09:51.263Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/27/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-27T14:41:22.410Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/27/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-27T14:41:22.410Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42371", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T11:07:03.859190Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T11:07:11.858Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "uriparser", "product": "uriparser", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/uriparser/uriparser/pull/298"}, {"url": "https://uriparser.github.io"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-197", "description": "CWE-197 Numeric Truncation Error"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-27T06:07:08.588Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42371", "state": "PUBLISHED", "dateUpdated": "2026-04-27T14:41:22.410Z", "dateReserved": "2026-04-27T05:50:35.801Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-27T05:50:36.185Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes."}], "id": "CVE-2026-42371", "lastModified": "2026-04-27T18:57:20.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 3.6, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-27T07:16:04.173", "references": [{"source": "cve@mitre.org", "url": "https://github.com/uriparser/uriparser/pull/298"}, {"source": "cve@mitre.org", "url": "https://uriparser.github.io"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/27/2"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-197"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "uriparser: uriparser: Denial of Service via numeric truncation with oversized URIs", "id": "2463159", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463159"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in uriparser. This vulnerability occurs due to numeric truncation in text range comparison when an application processes extremely long Uniform Resource Identifiers (URIs), specifically those with lengths in gigabytes. A local attacker could exploit this flaw by providing a malformed, excessively long URI, leading to a Denial of Service (DoS) condition where the application becomes unavailable."], "name": "CVE-2026-42371", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "uriparser", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "uriparser", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "uriparser", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-04-27T05:50:36Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-42371\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42371\nhttps://github.com/uriparser/uriparser/pull/298\nhttps://uriparser.github.io"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.1)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "uriparser", "source": "cna", "vendor": "uriparser"}, "product": "uriparser", "vendor": "uriparser_project"}], "analysis": {"en": {"generated_at": "2026-04-28T23:29:36.724519+00:00", "value": {"mitigation_remediation": ["Upgrade uriparser to version 1.0.1 or later.", "If an upgrade is not immediately possible, implement a strict URI length check in the application and reject any URI exceeding a safe threshold before passing it to uriparser.", "Review and audit code that interacts with uriparser to ensure proper input validation and guard against potential truncation issues."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the uriparser library before 1.0.1. Any software that incorporates this library, such as web servers, network utilities, or other applications that parse user\u2011supplied URIs, may be impacted until it is updated to a fixed version.", "description_and_impact": "uriparser versions prior to 1.0.1 contain a numeric truncation bug in the function that compares the textual range of a URI. When the library receives a URI whose length reaches gigabytes, the numeric comparison can behave unexpectedly, potentially allowing the application to process an oversized URI that it should normally reject. This flaw can lead to a denial of service by forcing the application to handle unusually large input data.", "risk_and_exploitability": "The CVSS score of 5.1 indicates a moderate severity. An EPSS score of less than 1\u202f% suggests low exploitation likelihood at present, and the issue is not listed in CISA's KEV catalog. Exploitation would require an attacker to provide an excessively long URI\u2014on the order of gigabytes\u2014to the application. The attack vector is therefore any interface that accepts external URIs and forwards them to uriparser without prior length validation."}}}}, "created": "2026-04-27T20:00:05.353519+00:00", "updated": "2026-04-28T23:30:06.137581+00:00", "vendors": ["uriparser_project", "uriparser_project$PRODUCT$uriparser"]}