Skip to main content

uuid CVE-2026-41988

| EUVDEUVD-2026-25190 LOW
Always-Incorrect Control Flow Implementation (CWE-670)
2026-04-23 mitre GHSA-qmq6-f8pr-cx5x
2.5
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.5 LOW
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

7
CVSS changed
Jul 08, 2026 - 03:37 NVD
3.2 (LOW) 2.5 (LOW)
Patch released
Apr 24, 2026 - 14:50 nvd
Patch available
Analysis Generated
Apr 23, 2026 - 07:01 vuln.today
Patch available
Apr 23, 2026 - 06:16 EUVD
EUVD ID Assigned
Apr 23, 2026 - 05:00 euvd
EUVD-2026-25190
Analysis Generated
Apr 23, 2026 - 05:00 vuln.today
CVE Published
Apr 23, 2026 - 04:00 nvd
LOW 3.2

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 17 npm packages depend on uuid (12 direct, 5 indirect)

Ecosystem-wide dependent count for version 12.0.0.

DescriptionNVD

uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue.

AnalysisAI

UUID library versions before 14.0.0 make unexpected writes to external output buffers when generating UUID versions 3, 5, or 6, potentially corrupting adjacent memory. UUID version 4, the most commonly deployed variant, is unaffected. The vulnerability requires local access and non-default buffer configuration to exploit, resulting in integrity compromise rather than code execution or availability impact.

Technical ContextAI

The uuid library (npm package uuidjs/uuid) is a JavaScript implementation for generating and parsing RFC 4122 compliant universally unique identifiers. The vulnerability exists in UUID generation functions for versions 3, 5, and 6 when callers provide external pre-allocated output buffers to write results into, rather than using default allocations. Version 3 (MD5-based namespace UUID), version 5 (SHA-1-based namespace UUID), and version 6 (timestamp-based) generation functions fail to properly respect buffer boundaries, causing writes beyond the intended region. This is a buffer handling issue (CWE-670: Always-Incorrect Control Flow Implementation) where the generation logic does not properly validate or constrain write operations to external buffers. UUID version 4 (random) and version 1 (timestamp-based) are not affected, likely because their generation paths use different write logic or have proper boundary checks.

RemediationAI

Vendor-released patch: upgrade uuid library to version 14.0.0 or later. For npm projects, run 'npm install uuid@^14.0.0' or update the dependency version in package.json and reinstall. Most applications using uuid version 4 (random UUIDs) can safely defer patching if buffer allocation is not externally controlled; however, applications using UUID versions 3, 5, or 6 with external pre-allocated buffers should prioritize immediate upgrade. If immediate upgrade is not feasible and the application uses external buffers for UUID generation, implement input validation to ensure buffer size matches expected UUID output length (16 bytes), or refactor code to use the library's default internal buffer allocation (which is not affected by this issue). The patch is available from the GitHub security advisory at https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq and commit 3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34.

Share

CVE-2026-41988 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy