CVE-2026-50643
Deferred Deferred - Pending Action

Out-of-Bounds Read in 8cc Compiler

Vulnerability report for CVE-2026-50643, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-18

Last updated on: 2026-06-22

Assigner: CERT.PL

Description

8cc is vulnerable to an Out‑of‑Bounds Read due to improper handling of #line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays. By supplying invalid or oversized line numbers, an attacker can trigger out-of-bounds memory access and a crash. Maintainer of this project was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Version corresponding to the commit b480958 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-18
Last Modified
2026-06-22
Generated
2026-07-09
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rui314 8cc *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in 8cc is an Out-of-Bounds Read caused by improper handling of #line directives and GNU linemarkers. The compiler accepts filename and line number metadata that can be controlled by an attacker. It then uses this metadata without proper validation when accessing source line arrays.

By supplying invalid or oversized line numbers, an attacker can cause the compiler to read memory outside the intended bounds, which can lead to a crash.

Impact Analysis

This vulnerability can cause the 8cc compiler to crash due to out-of-bounds memory access when processing maliciously crafted source code with manipulated #line directives.

While the impact is primarily a denial of service through a crash, it may also pose risks if exploited in a broader context where memory corruption could lead to further security issues.

Mitigation Strategies

The vulnerability exists in the 8cc compiler due to improper handling of #line directives and GNU linemarkers, which can cause out-of-bounds memory access and crashes.

Since the maintainer has not provided details or a fixed version, and the project is no longer actively maintained, immediate mitigation steps include:

  • Avoid using the vulnerable version of 8cc (including the version corresponding to commit b480958) in your environment.
  • Consider switching to a maintained alternative compiler such as chibicc, the successor to 8cc.
  • If you must use 8cc, restrict input to trusted sources to prevent attacker-controlled filename and line number metadata.
  • Monitor for any updates or patches from the community or related projects.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50643. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart