CVE-2026-4012
Received Received - Intake
Out-of-Bounds Read in rxi fe read_ Function via Local Input

Publication date: 2026-03-12

Last updated on: 2026-03-12

Assigner: VulDB

Description
A vulnerability was determined in rxi fe up to ed4cda96bd582cbb08520964ba627efb40f3dd91. The impacted element is the function read_ of the file src/fe.c. This manipulation with the input 1 causes out-of-bounds read. The attack requires local access. The exploit has been publicly disclosed and may be utilized. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4012
EUVD
EUVD-2026-11545
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rxi fe to ed4cda96bd582cbb08520964ba627efb40f3dd91 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4012 is an out-of-bounds read vulnerability found in the function read_ within the file src/fe.c of the rxi fe project. This vulnerability occurs when the function improperly handles an input value of 1, causing it to read memory beyond the allocated boundaries of a global string buffer.

The invalid read is of size 1 byte and happens at line 516 in the source code, leading to a global buffer overflow. This causes the program to access memory it should not, which can result in a crash or undefined behavior.

The vulnerability requires local access to exploit and has been publicly disclosed with proof-of-concept exploits available.

Impact Analysis

This vulnerability can cause the affected program to crash due to invalid memory access caused by reading outside the intended buffer boundaries.

Because it involves an out-of-bounds read, it may also expose unintended memory content, potentially impacting confidentiality.

The exploit requires local access, so an attacker would need to have some level of access to the system to trigger the vulnerability.

Overall, the impact is considered low severity with a CVSS v3 base score of 3.3, but it can lead to program instability and potential information disclosure.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by building the vulnerable fe binary with Release optimization and AddressSanitizer (ASan) enabled, then running it with a specially crafted crashing input file.

A specific command to reproduce the crash and detect the vulnerability is:

  • ./fe repro

The AddressSanitizer will report a global-buffer-overflow error indicating the out-of-bounds read in the read_ function.

Mitigation Strategies

No known countermeasures or fixes have been issued by the project maintainers yet.

Since the vulnerability requires local access and is easy to exploit, immediate mitigation steps include considering alternative products that do not contain this vulnerability.

Additionally, restricting local access to the vulnerable system and monitoring for exploit attempts may help reduce risk until a patch or update is available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4012. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart