CVE-2026-50643
Received Received - Intake
Out-of-Bounds Read in 8cc Compiler

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: CERT.PL

Description
8cc is vulnerable to an Out‑of‑Bounds Read due to improper handling of #line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays. By supplying invalid or oversized line numbers, an attacker can trigger out-of-bounds memory access and a crash. Maintainer of this project was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Version corresponding to the commit b480958 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
2026-06-18
NVD
CVE-2026-50643
EUVD
EUVD-2026-37865
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rui314 8cc *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in 8cc is an Out-of-Bounds Read caused by improper handling of #line directives and GNU linemarkers. The compiler accepts filename and line number metadata that can be controlled by an attacker. It then uses this metadata without proper validation when accessing source line arrays.

By supplying invalid or oversized line numbers, an attacker can cause the compiler to read memory outside the intended bounds, which can lead to a crash.

Impact Analysis

This vulnerability can cause the 8cc compiler to crash due to out-of-bounds memory access when processing maliciously crafted source code with manipulated #line directives.

While the impact is primarily a denial of service through a crash, it may also pose risks if exploited in a broader context where memory corruption could lead to further security issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50643. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart