CVE-2026-40489
Received Received - Intake
Stack-Based Buffer Overflow in editorconfig-core-c Causes DoS

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: GitHub, Inc.

Description
editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-05-07
AI Q&A
2026-04-18
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40489
EUVD
EUVD-2026-23636
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
editorconfig editorconfig-core-c to 0.12.10 (inc)
editorconfig editorconfig-core-c 0.12.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a stack-based buffer overflow in the ec_glob() function of the editorconfig-core-c library, which is used by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 are affected. An attacker can exploit this by providing a specially crafted directory structure and .editorconfig file, causing the application using libeditorconfig to crash.

The issue is due to an incomplete fix for a previous vulnerability (CVE-2023-0341). While one buffer (pcre_str) was protected starting from version 0.12.6, an adjacent stack buffer (l_pattern[8194]) was not protected, allowing the overflow to occur.

On systems like Ubuntu 24.04, the FORTIFY_SOURCE feature converts this overflow into a SIGABRT signal, resulting in a denial of service (DoS). The vulnerability was addressed with an updated fix in version 0.12.11.


How can this vulnerability impact me? :

This vulnerability can cause applications using the affected editorconfig-core-c library to crash unexpectedly when processing specially crafted directory structures and .editorconfig files.

On some systems, such as Ubuntu 24.04, this crash manifests as a denial of service (DoS) due to the triggering of a SIGABRT signal.

An attacker could exploit this to disrupt the normal operation of software relying on this library, potentially causing service interruptions or instability.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade editorconfig-core-c to version 0.12.11 or later, as this version contains the updated fix for the stack-based buffer overflow issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart