Impact Analysis

This vulnerability can cause the affected application to crash or exit unexpectedly due to a segmentation fault caused by a null pointer dereference.

The impact is primarily on availability, as the application becomes unavailable when the fault is triggered.

Since exploitation requires local access, remote attackers cannot exploit this vulnerability directly, but local users or processes with access could trigger the crash.

No patches or mitigations are currently available, and the maintainers have not responded to the issue, so affected users are advised to consider replacing oatpp with an alternative.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability manifests as a segmentation fault caused by a NULL pointer dereference in the oatpp library when copying an invalid or corrupted oatpp::String object. Detection involves monitoring for application crashes or segmentation faults related to the oatpp::data::type::ObjectWrapper copy constructor.'}, {'type': 'paragraph', 'content': 'One way to detect the issue is to run the application with AddressSanitizer (ASAN) enabled, which can catch the NULL pointer dereference and provide detailed reports including stack traces pointing to src/oatpp/data/type/Type.hpp line 172.'}, {'type': 'paragraph', 'content': 'A practical detection method is to reproduce the fault by feeding malformed JSON input that corrupts the oatpp::String object, such as the proof-of-concept JSON: {"title":"Test","tags":["a","b"],"children":[null{"name":"child1","id":1}]}'}, {'type': 'paragraph', 'content': 'Suggested commands include running the oatpp application or test harness with ASAN enabled and providing the malformed JSON input to trigger and observe the segmentation fault.'}] [1, 4]

Useful 0 Not Useful 0

Mitigation Strategies

Currently, there are no patches or official mitigations available for this vulnerability as the oatpp project has not responded to the issue report.

Immediate mitigation steps include restricting local access to the affected systems since the attack requires local access.

Consider avoiding processing untrusted or malformed JSON inputs that could corrupt oatpp::String objects.

As a longer-term mitigation, it is suggested to consider replacing oatpp with an alternative library or framework that does not have this vulnerability.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-1990 is a null pointer dereference vulnerability in the oatpp library, specifically affecting the copy constructor of the template class oatpp::data::type::ObjectWrapper when copying an oatpp::String object.

The vulnerability occurs because the source oatpp::String object being copied is in an invalid or corrupted state, possibly due to malformed JSON input or a null pointer cast. This causes the std::shared_ptr mechanism inside ObjectWrapper to attempt to increment the reference count of a NULL control block pointer, leading to a segmentation fault (crash) due to a read memory access violation.

Exploitation requires local access and involves triggering the fault by providing corrupted input that causes the invalid state in the oatpp::String object.

Useful 0 Not Useful 0