Skip to main content

Libucl EUVDEUVD-2026-12534

| CVE-2026-0708 HIGH
Out-of-bounds Read (CWE-125)
2026-03-17 fedora
8.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H
Red Hat
8.3 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 17, 2026 - 08:13 euvd
EUVD-2026-12534
Analysis Generated
Mar 17, 2026 - 08:13 vuln.today
CVE Published
Mar 17, 2026 - 02:28 nvd
HIGH 8.3

DescriptionCVE.org

A flaw was found in libucl. A remote attacker could exploit this by providing a specially crafted Universal Configuration Language (UCL) input that contains a key with an embedded null byte. This can cause a segmentation fault (SEGV fault) in the ucl_object_emit function when parsing and emitting the object, leading to a Denial of Service (DoS) for the affected system.

AnalysisAI

Denial of service in libucl allows remote attackers to crash affected applications by submitting maliciously crafted UCL configuration files containing null bytes in object keys, triggering a segmentation fault in the ucl_object_emit function. The vulnerability requires user interaction but has high impact potential with no available patch, affecting systems that parse untrusted UCL input. An attacker can remotely exploit this with low complexity to disable services relying on libucl for configuration parsing.

Technical ContextAI

The libucl library is a parser for the Universal Configuration Language (UCL), which is commonly used for configuration file parsing in various applications. The vulnerability is classified as CWE-125 (Out-of-bounds Read), indicating that the application reads data past the end of the intended buffer when processing null-terminated strings containing embedded null bytes. According to the CPE identifier cpe:2.3:a:libucl:libucl:*:*:*:*:*:*:*:*, all versions of libucl are potentially affected, with specific confirmation for version 3e7f023e184e06f30fb5792dacd9dd0f8b692f1b as noted by ENISA EUVD.

RemediationAI

Users should monitor the libucl GitHub repository at https://github.com/vstakhov/libucl/issues/323 for patch releases addressing this vulnerability. As no fixed version has been announced yet, implement input validation to reject or sanitize UCL configuration files containing null bytes in keys before processing them with libucl. For Red Hat-based systems, track the security advisory at https://access.redhat.com/security/cve/CVE-2026-0708 for distribution-specific patches. Consider implementing application-level controls to limit the processing of untrusted UCL files and monitor for segmentation faults that could indicate exploitation attempts.

Vendor StatusVendor

Share

EUVD-2026-12534 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy