CVE-2026-42371
Received Received - Intake
Numeric Truncation Vulnerability in uriparser <1.0.1 Affects URI Handling

Publication date: 2026-04-27

Last updated on: 2026-05-18

Assigner: MITRE

Description
uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-05-18
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42371
EUVD
EUVD-2026-25776
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
uriparser_project uriparser to 1.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-197 Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42371 is a vulnerability in the uriparser library, specifically in the CompareRange function. The issue arises because the function converts pointer-difference lengths to an int type, which on 64-bit platforms can truncate large range lengths. This truncation causes the function to incorrectly treat ranges of different lengths as equal before comparing their content.

This improper handling of range-length values can lead to incorrect equality results and potential security issues when applications accept URIs with very large lengths (in gigabytes). The vulnerability was fixed by modifying the CompareRange function to compare the full range lengths without truncation.

Impact Analysis

This vulnerability can impact applications that use the uriparser library to handle very large URIs. Because of the numeric truncation, the library might incorrectly consider two different URI ranges as equal, potentially leading to incorrect processing or validation of URIs.

Such incorrect URI comparisons could cause security issues, for example by bypassing checks that rely on accurate URI comparisons, which might lead to denial of service or other unexpected behavior in applications.

The CVSS score of 5.1 with a high attack complexity and local attack vector indicates a moderate severity impact primarily affecting availability.

Detection Guidance

Detection of this vulnerability involves verifying the version of the uriparser library in use and testing the behavior of the CompareRange function with very large URI inputs.

Specifically, one can check if the uriparser version is before 1.0.1, as versions prior to this contain the numeric truncation flaw.

A practical approach is to run regression tests that attempt to compare URI ranges with lengths in the gigabyte range, which would cause crashes or incorrect results on vulnerable versions.

Commands to detect the vulnerability could include:

  • Checking the installed uriparser version, e.g., `pkg-config --modversion uriparser` or inspecting the package manager.
  • Running or adapting the regression test from the fix pull request that exercises large range comparisons to see if the vulnerable behavior occurs.
Mitigation Strategies

The immediate mitigation step is to upgrade the uriparser library to version 1.0.1 or later, where the numeric truncation issue in the CompareRange function has been fixed.

If upgrading is not immediately possible, avoid processing URIs with extremely large lengths (in the gigabyte range) to prevent triggering the truncation flaw.

Additionally, review and apply any patches or commits related to the fix, such as those correcting the truncation in CompareRange and adding regression tests.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-42371 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42371. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart