CVE-2026-3407
Received Received - Intake
Heap-Based Buffer Overflow in Yosys BLIF File Parser

Publication date: 2026-03-02

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in YosysHQ yosys up to 0.62. This affects the function Yosys::RTLIL::Const::set of the file kernel/rtlil.h of the component BLIF File Parser. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. Applying a patch is the recommended action to fix this issue. It appears that the issue is not reproducible all the time.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3407
EUVD
EUVD-2026-9140
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yosyshq yosys to 0.62 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to a heap-based buffer overflow, which may cause the Yosys software to crash or behave unpredictably.

Since the overflow is triggered by parsing crafted BLIF files, an attacker with local access could exploit this to potentially disrupt the availability of the software.

The CVSS scores indicate a low severity impact, primarily affecting availability, with no direct impact on confidentiality or integrity.

Executive Summary

CVE-2026-3407 is a heap-based buffer overflow vulnerability in the YosysHQ yosys software, specifically in the function Yosys::RTLIL::Const::set within the BLIF File Parser component.

The vulnerability occurs when parsing a specially crafted BLIF file, causing an out-of-bounds write of one byte immediately after a 1024-byte allocated buffer. This happens due to improper bounds checking or indexing logic in the bit-setting operation of the constant during BLIF parsing.

The issue can be triggered locally and has been confirmed by the vendor, who released a patch fixing the bounds checking to prevent the overflow.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by running Yosys with AddressSanitizer (ASAN) enabled and using a specially crafted BLIF file to trigger the heap-based buffer overflow.'}, {'type': 'paragraph', 'content': 'A specific command to reproduce the issue is: `./yosys -p "read_blif repro"` where "repro" is a crafted BLIF file designed to trigger the vulnerability.'}, {'type': 'paragraph', 'content': 'Detection involves monitoring for heap-buffer-overflow errors reported by ASAN during the parsing of BLIF files, which indicates the presence of the vulnerability.'}] [1, 7]

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to apply the patch provided by the vendor that fixes the out-of-bounds write by adding proper bounds checking in the BLIF parser.

The patch addressing this issue was merged into the main branch on February 18, 2026, as part of Pull Request #5681, which ensures input boundaries are properly validated.

Until the patch is applied, avoid processing untrusted or specially crafted BLIF files that could trigger the heap overflow.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3407. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart