CVE-2026-41988
Unexpected Write Vulnerability in uuid Before 14.0.0 Using External Buffers
Publication date: 2026-04-23
Last updated on: 2026-04-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uuidjs | uuid | to 13.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41988 is a vulnerability in the uuid npm package versions up to 13.0.0 affecting UUID generation functions for versions 3, 5, and 6. These functions accept external output buffers and an offset parameter but do not properly check if the buffer is large enough to safely write the UUID data.
Unlike UUID versions 1, 4, and 7, which throw an error if the buffer size or offset is invalid, versions 3, 5, and 6 silently allow out-of-range writes. This can cause partial or malformed UUIDs to be written into the buffer without any error notification.
The root cause is missing bounds checking on buffer writes, which can lead to unexpected writes outside the intended buffer area when using external buffers with certain UUID versions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the uuid package causes unexpected writes to external output buffers when generating UUID versions 3, 5, or 6, potentially resulting in malformed or partial UUIDs without error notification.
This issue primarily impacts data integrity and robustness, as applications relying on complete and correct UUIDs may unknowingly process corrupted identifiers.
However, there is no direct information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability primarily impacts the integrity and robustness of applications using the affected UUID functions with external buffers. Applications may unknowingly process corrupted, truncated, or stale UUIDs due to silent partial writes.
If buffer sizes or offsets are influenced by external input, this flaw could escalate into a security-relevant logic error, potentially causing unexpected behavior or data corruption.
However, the vulnerability does not affect UUID version 4, which is very commonly used, and the overall severity is rated as moderate.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the uuid npm package versions up to 13.0.0, specifically in UUID generation functions v3, v5, and v6 when external output buffers are used without proper bounds checking.
To detect if your system is affected, you should check the version of the uuid package installed in your environment.
- Run the command `npm list uuid` or `npm ls uuid` in your project directory to see the installed version.
- If the version is 13.0.0 or earlier, your system is potentially vulnerable.
Additionally, you can audit your codebase or dependencies for usage of UUID versions 3, 5, or 6 with external buffers and offsets, as these are the affected functions.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to update the uuid package to a version that includes the fix for this vulnerability.
- Upgrade uuid to a version later than 13.0.0 where explicit bounds checking is implemented, which throws a RangeError on invalid buffer offsets or sizes.
- Ensure your code handles or catches RangeErrors when generating UUIDs with external buffers.
If upgrading immediately is not possible, review and audit your code to avoid using UUID versions 3, 5, or 6 with external buffers and offsets, or implement manual bounds checking before calling these functions.