Skip to main content

Ubuntu CVE-2026-40489

| EUVDEUVD-2026-23636 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-04-18 GitHub_M
8.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Patch released
Apr 20, 2026 - 18:59 nvd
Patch available
Analysis Generated
Apr 18, 2026 - 03:54 vuln.today
Patch available
Apr 18, 2026 - 02:01 EUVD
EUVD ID Assigned
Apr 18, 2026 - 01:45 euvd
EUVD-2026-23636
Analysis Generated
Apr 18, 2026 - 01:45 vuln.today
CVE Published
Apr 18, 2026 - 01:24 nvd
HIGH 8.6

DescriptionGitHub Advisory

editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix.

AnalysisAI

Stack-based buffer overflow in editorconfig-core-c library (versions ≤0.12.10) enables local attackers to crash applications or potentially execute arbitrary code via maliciously crafted .editorconfig files and directory structures. This incomplete fix for CVE-2023-0341 left the l_pattern[8194] stack buffer unprotected while only addressing the pcre_str buffer in version 0.12.6. Patched in version 0.12.11. No active exploitation confirmed (not in CISA KEV), but publicly exploitable with local access and minimal complexity (CVSS AV:L/AC:L/PR:N).

Technical ContextAI

EditorConfig is a widely-adopted configuration system used by text editors and IDEs to maintain consistent coding styles across projects. The editorconfig-core-c library (CPE: cpe:2.3:a:editorconfig:editorconfig-core-c) provides the parsing engine for .editorconfig files. The vulnerability resides in the ec_glob() function, where the l_pattern[8194] static stack buffer lacks bounds checking during pattern matching operations. This is classified as CWE-121 (Stack-based Buffer Overflow), a memory safety issue allowing writes beyond allocated buffer boundaries. The vulnerability represents an incomplete remediation of CVE-2023-0341 - while the earlier patch protected the pcre_str buffer in version 0.12.6, the adjacent l_pattern buffer remained vulnerable. On systems with FORTIFY_SOURCE protections (standard in Ubuntu 24.04 and modern Linux distributions), the overflow triggers SIGABRT, resulting in application crash (DoS). On systems without these protections, arbitrary code execution becomes theoretically possible depending on stack layout and exploit sophistication.

RemediationAI

Upgrade editorconfig-core-c to version 0.12.11 or later, which contains the complete fix for the l_pattern buffer overflow (commit 5159be88ad50641d9843289adda791ba300421ff). Organizations should identify all applications using libeditorconfig through dependency scanning and update accordingly. Release details: https://github.com/editorconfig/editorconfig-core-c/releases/tag/v0.12.11. For systems where immediate patching is not feasible, implement compensating controls: (1) Restrict processing of .editorconfig files to trusted sources only - configure IDEs/editors to ignore .editorconfig in untrusted repositories or require manual approval before parsing, understanding this breaks automatic style enforcement; (2) Deploy on systems with FORTIFY_SOURCE enabled (standard in Ubuntu 24.04+, RHEL 9+, Fedora 35+) to downgrade exploitation from code execution to denial-of-service, though this only mitigates severity and does not eliminate the vulnerability; (3) In CI/CD environments, run builds in isolated containers with limited privileges to contain potential exploitation impact; (4) Monitor for unexpected application crashes (SIGABRT) when processing repositories, which may indicate exploitation attempts. Trade-offs: Disabling .editorconfig processing eliminates automatic code style consistency; container isolation adds pipeline complexity and resource overhead. Verify patch deployment by checking library version in dependent applications and testing with known-malicious .editorconfig patterns if safe test environments are available.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-40489 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy