CVE-2026-40489
Received Received - Intake
Stack-Based Buffer Overflow in editorconfig-core-c Causes DoS

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: GitHub, Inc.

Description
editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40489
EUVD
EUVD-2026-23636
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
editorconfig editorconfig-core-c to 0.12.10 (inc)
editorconfig editorconfig-core-c 0.12.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stack-based buffer overflow in the ec_glob() function of the editorconfig-core-c library, which is used by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 are affected. An attacker can exploit this by providing a specially crafted directory structure and .editorconfig file, causing the application using libeditorconfig to crash.

The issue is due to an incomplete fix for a previous vulnerability (CVE-2023-0341). While one buffer (pcre_str) was protected starting from version 0.12.6, an adjacent stack buffer (l_pattern[8194]) was not protected, allowing the overflow to occur.

On systems like Ubuntu 24.04, the FORTIFY_SOURCE feature converts this overflow into a SIGABRT signal, resulting in a denial of service (DoS). The vulnerability was addressed with an updated fix in version 0.12.11.

Impact Analysis

This vulnerability can cause applications using the affected editorconfig-core-c library to crash unexpectedly when processing specially crafted directory structures and .editorconfig files.

On some systems, such as Ubuntu 24.04, this crash manifests as a denial of service (DoS) due to the triggering of a SIGABRT signal.

An attacker could exploit this to disrupt the normal operation of software relying on this library, potentially causing service interruptions or instability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade editorconfig-core-c to version 0.12.11 or later, as this version contains the updated fix for the stack-based buffer overflow issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart