CVE-2026-14650
Received Received - Intake

Denial of Service in Grass Compiler UTF-8 Handler

Vulnerability report for CVE-2026-14650, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: VulDB

Description

A flaw has been found in connorskees grass up to 0.13.4. The affected element is the function grass_compiler::raw_to_parse_error of the component UTF-8 Character Handler. Executing a manipulation can lead to denial of service. The attack is restricted to local execution. The exploit has been published and may be used. In Issue #117 with similar structure the project maintainer explains: "DoS vulnerabilities are generally fine in Sass compilers -- they are trivially possible with recursive functions, infinite loops, nested mixins, etc. The description here is wrong. Compile time is not expected to be linear relative to the input, and the @extend algorithm is definitionally exponential."

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-05
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
connorskees grass to 0.13.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14650 is a vulnerability in the grass crate (a Rust-based Sass compiler) version 0.13.4 and earlier. The flaw occurs in the function grass_compiler::raw_to_parse_error within the UTF-8 Character Handler component. When the parser encounters invalid SCSS input containing multi-byte UTF-8 characters, it attempts to generate an error message. However, the codemap crate's line/column resolution function tries to slice the source string at a non-character boundary, causing a Rust panic with a "byte index is not a char boundary" error. This panic leads to an unexpected termination of the process.

The vulnerability is triggered by local execution and results in a denial of service (DoS) by crashing the compiler. The issue was discovered through fuzzing, and a proof-of-concept exploit exists using a small SCSS input with invalid syntax and multi-byte UTF-8 characters.

The project maintainer notes that DoS vulnerabilities are generally expected in Sass compilers due to recursive functions and complex algorithms, and that compile time is not expected to be linear relative to input.

Impact Analysis

This vulnerability can cause a denial of service (DoS) by crashing the grass compiler when it processes specially crafted SCSS input containing invalid syntax and multi-byte UTF-8 characters. The crash occurs due to a panic in Rust triggered by improper string slicing during error reporting.

Since the attack requires local execution, an attacker would need access to run the compiler locally to exploit this issue.

The impact is limited to unexpected termination of the compilation process, which could disrupt development workflows or automated build systems relying on the grass compiler.

Detection Guidance

This vulnerability manifests as a panic in the grass compiler when parsing invalid SCSS input containing multi-byte UTF-8 characters. Detection involves triggering the parser with crafted inputs that cause the error.

A proof-of-concept uses a 35-byte SCSS input with invalid syntax and multi-byte UTF-8 characters to cause the crash.

To detect the vulnerability on your system, you can run the grass compiler with suspicious or malformed SCSS files that include multi-byte UTF-8 characters and observe if the process terminates unexpectedly with a panic message similar to "byte index is not a char boundary."

Since grass is a Rust-based CLI tool, you can test detection by running a command like:

  • echo '<malformed SCSS input with multi-byte UTF-8 characters>' | grass

Replace '<malformed SCSS input with multi-byte UTF-8 characters>' with a crafted input similar to the proof-of-concept that triggers the panic.

Mitigation Strategies

The vulnerability is a denial of service caused by a panic in the grass compiler when parsing certain invalid inputs locally.

Immediate mitigation steps include:

  • Avoid processing untrusted or malformed SCSS inputs that contain multi-byte UTF-8 characters which may trigger the panic.
  • Update the grass compiler to a version later than 0.13.4 once a fix is released.
  • Monitor the project's GitHub repository and issue tracker for patches or updates addressing this vulnerability.

Since the attack requires local execution, restricting access to the environment where grass is run can also reduce risk.

Compliance Impact

The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14650. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart