CVE-2026-13574
Received Received - Intake

Heap-based Buffer Overflow in LLVM Bitcode File Handler

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A vulnerability was determined in llvm llvm-project up to 22.1.6. This impacts the function GCRelocateInst::getBasePtr in the library llvm/lib/IR/IntrinsicInst.cpp of the component Bitcode File Handler. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13574
EUVD
EUVD-2026-40118

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
llvm llvm_project to 22.1.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The vulnerability is a heap-based buffer overflow in the GCRelocateInst::getBasePtr function of LLVM's Bitcode File Handler, triggered by an invalid large index in a gc.relocate intrinsic.

Since the project has not yet responded with a fix, immediate mitigation steps include avoiding the use of untrusted or malformed input that could trigger the gc.relocate intrinsic with invalid indices.

Additionally, running fuzz testing or static analysis tools to detect potential exploit attempts locally may help identify attempts to exploit this vulnerability.

Monitoring the LLVM project repository and issue tracker for patches or updates addressing this vulnerability is recommended to apply fixes once available.

Executive Summary

This vulnerability is a heap-based buffer overflow in the LLVM project's handling of the gc.relocate intrinsic, specifically in the function GCRelocateInst::getBasePtr located in llvm/lib/IR/IntrinsicInst.cpp.

The issue arises when an invalid large index is used in a gc.relocate intrinsic referencing a gc.statepoint instruction. The function accesses inputs or arguments using a raw offset from an iterator without proper bounds checking, which leads to an out-of-bounds read and consequently a heap-buffer-overflow.

This flaw was discovered through fuzzing and can be triggered by an invalid index value, such as 59, causing the code to access invalid memory.

Impact Analysis

The vulnerability allows an attacker to cause a heap-based buffer overflow on the local host by providing an invalid index to the gc.relocate intrinsic.

Heap-based buffer overflows can lead to program crashes, memory corruption, or potentially arbitrary code execution depending on the context and exploitation.

Since the exploit has been publicly disclosed, there is a risk that attackers could use this vulnerability to compromise systems running affected versions of the LLVM project.

Detection Guidance

This vulnerability was identified through fuzzing with llvm-opt-fuzzer using the -passes=gvn option.

A proof-of-concept (PoC) was provided to reproduce the crash by triggering an invalid index value, such as 59, which causes out-of-bounds memory access.

To detect this vulnerability on your system, you can run fuzzing tests with llvm-opt-fuzzer targeting the gc.relocate intrinsic, specifically using the command: llvm-opt-fuzzer -passes=gvn

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13574. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart