CVE-2026-40489
Received Received - Intake

Stack-Based Buffer Overflow in editorconfig-core-c Causes DoS

Vulnerability report for CVE-2026-40489, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: GitHub, Inc.

Description

editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-07-06
AI Q&A
2026-04-18
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
editorconfig editorconfig-core-c to 0.12.10 (inc)
editorconfig editorconfig-core-c 0.12.11

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a stack-based buffer overflow in the ec_glob() function of the editorconfig-core-c library, which is used by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 are affected. An attacker can exploit this by providing a specially crafted directory structure and .editorconfig file, causing the application using libeditorconfig to crash.

The issue is due to an incomplete fix for a previous vulnerability (CVE-2023-0341). While one buffer (pcre_str) was protected starting from version 0.12.6, an adjacent stack buffer (l_pattern[8194]) was not protected, allowing the overflow to occur.

On systems like Ubuntu 24.04, the FORTIFY_SOURCE feature converts this overflow into a SIGABRT signal, resulting in a denial of service (DoS). The vulnerability was addressed with an updated fix in version 0.12.11.

Impact Analysis

This vulnerability can cause applications using the affected editorconfig-core-c library to crash unexpectedly when processing specially crafted directory structures and .editorconfig files.

On some systems, such as Ubuntu 24.04, this crash manifests as a denial of service (DoS) due to the triggering of a SIGABRT signal.

An attacker could exploit this to disrupt the normal operation of software relying on this library, potentially causing service interruptions or instability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade editorconfig-core-c to version 0.12.11 or later, as this version contains the updated fix for the stack-based buffer overflow issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart