Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector; victim must compile the crafted file (UI:R); no privileges needed to supply a source file; read-only impact limits C:L and A:L with no integrity effect.
Primary rating from Vendor (CERT-PL).
CVSS VectorVendor: CERT-PL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
8cc is vulnerable to an Out‑of‑Bounds Read due to improper handling of #line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays. By supplying invalid or oversized line numbers, an attacker can trigger out-of-bounds memory access and a crash.
Maintainer of this project was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Version corresponding to the commit b480958 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
AnalysisAI
Out-of-bounds read in 8cc, a small C compiler by rui314, allows a local attacker to crash the compiler and potentially disclose compiler process memory by supplying a crafted source file containing malicious #line directives or GNU linemarkers with oversized line numbers. The vulnerability arises because attacker-controlled filename and line number metadata embedded in source files is accepted and used without bounds validation when 8cc accesses internal source line arrays. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must supply a crafted C source file containing a malicious #line directive or GNU linemarker with an oversized line number value to a victim who then compiles it using 8cc. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.1 (Medium) reflects a bounded, local-exploitation scenario. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a C source file containing a #line directive with an arbitrarily large line number (e.g., #line 999999999) and delivers it to a developer or automated build system that uses 8cc. When the developer compiles the file, 8cc uses the attacker-supplied line number as an unvalidated array index, reading memory beyond the source line buffer, which causes an immediate compiler crash and may expose adjacent memory contents of the compiler process. … |
| Remediation | No vendor-released patch identified at time of analysis; the maintainer did not respond to CERT-PL's coordinated disclosure notification. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37865
GHSA-r8v3-j8rv-hmxv