Executive Summary

CVE-2026-2903 is a null pointer dereference vulnerability in the open-source lexer generator re2c, affecting versions up to 4.4. The flaw occurs in the function check_and_merge_special_rules within the source file src/parse/ast.cc. Specifically, when a grammar block contains actions but no rules, the tool attempts to perform determinization on a null TNFA (Tagged Nondeterministic Finite Automaton) state, leading to a segmentation fault.

This happens because the code does not properly check for empty rule sets before determinization, causing it to dereference a null pointer during the epsilon closure calculation in the determinization phase. The vulnerability can be triggered by crafting input files that specify actions without corresponding rules.

A patch has been released that fixes this issue by adding checks to emit an error if actions exist without rules, preventing the null pointer dereference and subsequent crash.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the re2c tool to crash with a segmentation fault when processing specially crafted input files. The null pointer dereference leads to a denial of service by terminating the application unexpectedly.

Since the attack requires local access to execute, it primarily impacts availability rather than confidentiality or integrity. An attacker with local access can exploit this flaw to disrupt the normal operation of the re2c tool.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability manifests as a null pointer dereference causing a segmentation fault in the re2c tool during the determinization phase of regex compilation. Detection involves running re2c with AddressSanitizer (ASAN) enabled on a Linux x86_64 system with a specially crafted input file that triggers the fault.

To detect the vulnerability, you can build re2c with ASAN enabled and then run it against a crafted .re file that causes the crash. The ASAN report will indicate a segmentation fault due to a NULL pointer dereference at the function closure_leftmost_dfs in src/dfa/closure_leftmost.h.

Example commands to detect the issue might include:

• Build re2c with ASAN enabled: `clang -fsanitize=address -g -O2 -o re2c src/*.cc`
• Run re2c on a specially crafted input file that triggers the vulnerability: `./re2c vulnerable_input.re`
• Observe the ASAN output for segmentation fault and NULL pointer dereference errors.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the patch identified by commit febeb977936f9519a25d9fbd10ff8256358cdb97, which fixes the null pointer dereference by adding checks to ensure determinization is only attempted when rules are present.

If patching is not immediately possible, avoid running untrusted or specially crafted input files through the vulnerable versions of re2c (up to version 4.4) to prevent local exploitation.

The vulnerability requires local access to exploit, so restricting access to the system and limiting who can run re2c can reduce risk.

Monitor for updates from the vendor and apply the official patch as soon as it is available.

Useful 0 Not Useful 0