CVE-2026-44927
Pointer Difference Truncation in uriparser
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| uriparser | uriparser | to 1.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-197 | Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in uriparser before version 1.0.2 involves the truncation of pointer difference values (ptrdiff_t) to a smaller integer type (int) in various parts of the code.
Truncating ptrdiff_t to int can cause loss of data or integer overflow because ptrdiff_t may be larger than int on some systems.
The issue was addressed by modifying multiple functions to correctly handle ptrdiff_t values without truncation, preventing potential errors related to incorrect integer conversions.
How can this vulnerability impact me? :
The vulnerability can lead to incorrect calculations or behavior in the uriparser library due to integer truncation errors.
While the CVSS score is low (2.9) and indicates no confidentiality or availability impact, there is a potential integrity impact, meaning the vulnerability could cause incorrect processing of URI data.
This could result in subtle bugs or unexpected behavior in applications relying on uriparser for URI handling, especially on systems where ptrdiff_t is larger than int.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability relates to pointer difference truncation in the uriparser library before version 1.0.2. Detection involves identifying if your system or software is using a vulnerable version of uriparser.
You can check the installed version of uriparser on your system using commands like:
- dpkg -l | grep uriparser # On Debian-based Linux distributions
- rpm -qa | grep uriparser # On Red Hat-based Linux distributions
- pkg-config --modversion uriparser # If pkg-config is used for uriparser
If you have source code or binaries that include uriparser, you may also inspect the version or check for the presence of the patched code as described in the pull request.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade uriparser to version 1.0.2 or later, where the pointer difference truncation issue has been fixed.
If upgrading immediately is not possible, consider applying the patch from the referenced pull request to your current uriparser source code and rebuilding the library.
Additionally, restrict access to systems using vulnerable versions and monitor for any unusual behavior, although the CVSS score indicates a low severity with limited impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
There is no information provided in the available context or resources that describes how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.