Skip to main content

uriparser CVE-2026-44927

| EUVDEUVD-2026-28536 LOW
Numeric Truncation Error (CWE-197)
2026-05-08 mitre GHSA-gmxg-5w57-j63q
2.9
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
May 08, 2026 - 09:02 EUVD
Source Code Evidence Fetched
May 08, 2026 - 08:00 vuln.today
Analysis Generated
May 08, 2026 - 08:00 vuln.today
CVE Published
May 08, 2026 - 07:13 nvd
LOW 2.9

DescriptionCVE.org

In uriparser before 1.0.2, there is pointer difference truncation to int in various places.

AnalysisAI

Pointer difference truncation to signed int in uriparser before version 1.0.2 allows local attackers to cause integer overflow and data integrity issues through specially crafted URI inputs. The vulnerability stems from unsafe casting of pointer arithmetic results (afterLast - first) to int, which can overflow on systems where pointer differences exceed INT_MAX, leading to buffer overflows, incorrect memory calculations, and potential information disclosure. While CVSS score is low (2.9) due to local attack vector and high complexity, the fix adds comprehensive overflow detection using SIZE_MAX checks, indicating real risk in applications processing untrusted URIs locally.

Technical ContextAI

uriparser is a C library that parses and manipulates Uniform Resource Identifiers (URIs) according to RFC 3986. The vulnerability resides in multiple parsing and normalization functions (UriCommon.c, UriFile.c, UriNormalize.c, UriQuery.c) that calculate buffer lengths by subtracting pointer values (pointer arithmetic). In C, pointer subtraction yields a ptrdiff_t value; the vulnerable code unsafely casts these results to signed int via (int)(ptr_b - ptr_a). On systems where pointer arithmetic results exceed INT_MAX (e.g., processing large buffers or due to memory layout), this truncation causes integer overflow, leading to negative or wrapped values used in subsequent size calculations and memory operations. CWE-197 (Numeric Truncation Error) describes this exact flaw: loss of information during type conversion. The fix replaces int with size_t for length variables, adds stdint.h includes for SIZE_MAX, and implements explicit overflow checks before memory operations, preventing wrapped values from corrupting downstream logic.

RemediationAI

Upgrade uriparser to version 1.0.2 or later, which includes comprehensive overflow detection using SIZE_MAX and size_t types across all affected functions. If immediate upgrade is not feasible, apply the patch from GitHub PR #304 (https://github.com/uriparser/uriparser/pull/304) to your codebase; critical changes include: (1) Replace int length variables with size_t in UriCommon.c (RangeEquals, RemoveDotSegmentsEx), UriFile.c (FilenameToUriString), UriNormalize.c (LowercaseInplaceExceptPercentEncoding, FixPercentEncodingEngine, FixPercentEncodingMalloc), and UriQuery.c (ComposeQueryEngine, AppendQueryItem); (2) Add overflow checks using SIZE_MAX / sizeof(URI_CHAR) before all size-based memory operations; (3) Return URI_ERROR_OUTPUT_TOO_LARGE or URI_FALSE on overflow detection. Recompile dependent applications after patching. As a temporary compensating control, restrict uriparser usage to trusted, locally-generated URI inputs and avoid processing URIs from untrusted local sources (file uploads, IPC) until patched; this control is imperfect and does not prevent all attack scenarios.

Share

CVE-2026-44927 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy