CVE-2026-36189
Buffer Overflow in Uncrustify
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uncrustify | uncrustify | to 0.82.0-132-bcc41cbdc (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-36189 is a stack-based buffer overflow vulnerability in the Uncrustify code formatting tool for C/C++ code. It occurs in the check_template() function within the tokenizer module, where improper bounds checking on a fixed-size stack buffer allows an attacker to provide specially crafted malformed input that exceeds the buffer's capacity.
This leads to an out-of-bounds write and a stack-based buffer overflow, causing memory corruption. The vulnerability is triggered during template parsing when the number of collected tokens surpasses the buffer limit.
While no arbitrary code execution has been confirmed, the flaw reliably causes application crashes, resulting in denial of service.
How can this vulnerability impact me? :
This vulnerability can be exploited by a local attacker to cause the Uncrustify application to crash, resulting in a denial of service.
In environments where Uncrustify is used in automated systems such as CI/CD pipelines or online code processing services, this can disrupt service availability and workflow.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or denial of service events in the Uncrustify executable, especially when processing malformed C/C++ template syntax.
Using AddressSanitizer during fuzz testing or runtime can help detect the stack-based buffer overflow at the source code location src/tokenizer/check_template.cpp:305.
A practical approach is to run Uncrustify with potentially malicious or malformed input files and observe if the application crashes or reports memory errors.
Example command to test with AddressSanitizer enabled build of Uncrustify:
- ASAN_OPTIONS=detect_stack_use_after_return=1 ./uncrustify -c malformed_input.cfg malformed_code.cpp
Alternatively, fuzz testing tools like AFL++ can be used to generate inputs that trigger the overflow.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Uncrustify to a version that includes the fix from commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc, which implements proper bounds checking in the check_template() function.
Until the update can be applied, avoid processing untrusted or malformed C/C++ template code with Uncrustify to reduce the risk of denial of service.
If updating is not immediately possible, consider running Uncrustify in a sandboxed environment or with resource limits to contain potential crashes.