Executive Summary

CVE-2026-36189 is a stack-based buffer overflow vulnerability in the Uncrustify code formatting tool for C/C++ code. It occurs in the check_template() function within the tokenizer module, where improper bounds checking on a fixed-size stack buffer allows an attacker to provide specially crafted malformed input that exceeds the buffer's capacity.

This leads to an out-of-bounds write and a stack-based buffer overflow, causing memory corruption. The vulnerability is triggered during template parsing when the number of collected tokens surpasses the buffer limit.

While no arbitrary code execution has been confirmed, the flaw reliably causes application crashes, resulting in denial of service.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited by a local attacker to cause the Uncrustify application to crash, resulting in a denial of service.

In environments where Uncrustify is used in automated systems such as CI/CD pipelines or online code processing services, this can disrupt service availability and workflow.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial of service events in the Uncrustify executable, especially when processing malformed C/C++ template syntax.

Using AddressSanitizer during fuzz testing or runtime can help detect the stack-based buffer overflow at the source code location src/tokenizer/check_template.cpp:305.

A practical approach is to run Uncrustify with potentially malicious or malformed input files and observe if the application crashes or reports memory errors.

Example command to test with AddressSanitizer enabled build of Uncrustify:

• ASAN_OPTIONS=detect_stack_use_after_return=1 ./uncrustify -c malformed_input.cfg malformed_code.cpp

Alternatively, fuzz testing tools like AFL++ can be used to generate inputs that trigger the overflow.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update Uncrustify to a version that includes the fix from commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc, which implements proper bounds checking in the check_template() function.

Until the update can be applied, avoid processing untrusted or malformed C/C++ template code with Uncrustify to reduce the risk of denial of service.

If updating is not immediately possible, consider running Uncrustify in a sandboxed environment or with resource limits to contain potential crashes.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-36189 is a buffer overflow vulnerability that causes denial of service by crashing the Uncrustify application. It primarily affects service availability in environments where Uncrustify is used, such as automated CI/CD pipelines or online code processing services.

There is no information in the provided context or resources indicating that this vulnerability leads to unauthorized access, data breach, or exposure of personal or sensitive data.

Therefore, based on the available information, this vulnerability does not directly impact compliance with data protection standards and regulations like GDPR or HIPAA, which focus on confidentiality and integrity of personal data.

Useful 0 Not Useful 0