Skip to main content

Zenc CVE-2026-33491

| EUVDEUVD-2026-16319 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-03-26 GitHub_M
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:13 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
0.4.4
EUVD ID Assigned
Mar 26, 2026 - 19:00 euvd
EUVD-2026-16319
Analysis Generated
Mar 26, 2026 - 19:00 vuln.today
CVE Published
Mar 26, 2026 - 18:39 nvd
HIGH 7.8

DescriptionGitHub Advisory

Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.4, a stack-based buffer overflow vulnerability in the Zen C compiler allows attackers to cause a compiler crash or potentially execute arbitrary code by providing a specially crafted Zen C source file (.zc) with excessively long struct, function, or trait identifiers. Users are advised to update to Zen C version v0.4.4 or later to receive a patch.

AnalysisAI

The Zen C compiler (versions prior to 0.4.4) crashes or enables arbitrary code execution when processing maliciously crafted .zc source files containing excessively long identifiers for structs, functions, or traits, triggering a stack-based buffer overflow (CWE-121). A proof-of-concept exploit exists per SSVC assessment, though attack complexity remains moderate as it requires local access and user interaction (CVSS:3.1/AV:L/AC:L/PR:N/UI:R). Vendor-released patch: version 0.4.4.

Technical ContextAI

Zen C is a systems programming language that transpiles to human-readable GNU C/C11 code. The vulnerability (CWE-121: Stack-based Buffer Overflow) resides in the compiler's identifier parsing logic, where insufficient bounds checking allows attackers to overflow stack-allocated buffers during compilation of source files. The affected product is identified via CPE cpe:2.3:a:zenc-lang:zenc:*:*:*:*:*:*:*:* covering all versions prior to 0.4.4. Stack-based buffer overflows occur when data written to a buffer exceeds its allocated stack memory region, potentially overwriting return addresses or function pointers to redirect program execution. In this compiler context, the overflow occurs during the compilation phase rather than in compiled output, making the compiler itself the attack surface.

RemediationAI

Upgrade Zen C compiler to version 0.4.4 or later to receive the vendor-released patch addressing the stack buffer overflow, as documented in the GitHub security advisory at https://github.com/zenc-lang/zenc/security/advisories/GHSA-rv74-w6q7-h8xr. Organizations unable to immediately upgrade should implement compensating controls including restricting compilation to trusted source files only, implementing code review processes for all .zc files before compilation, and isolating compiler execution in sandboxed or containerized environments with limited privileges. Continuous integration pipelines should validate source file identifier lengths before compilation and consider implementing automated static analysis to detect suspicious patterns in source files prior to compiler invocation.

Share

CVE-2026-33491 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy