Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H
Lifecycle Timeline
3DescriptionCVE.org
A flaw was found in libucl. A remote attacker could exploit this by providing a specially crafted Universal Configuration Language (UCL) input that contains a key with an embedded null byte. This can cause a segmentation fault (SEGV fault) in the ucl_object_emit function when parsing and emitting the object, leading to a Denial of Service (DoS) for the affected system.
AnalysisAI
Denial of service in libucl allows remote attackers to crash affected applications by submitting maliciously crafted UCL configuration files containing null bytes in object keys, triggering a segmentation fault in the ucl_object_emit function. The vulnerability requires user interaction but has high impact potential with no available patch, affecting systems that parse untrusted UCL input. An attacker can remotely exploit this with low complexity to disable services relying on libucl for configuration parsing.
Technical ContextAI
The libucl library is a parser for the Universal Configuration Language (UCL), which is commonly used for configuration file parsing in various applications. The vulnerability is classified as CWE-125 (Out-of-bounds Read), indicating that the application reads data past the end of the intended buffer when processing null-terminated strings containing embedded null bytes. According to the CPE identifier cpe:2.3:a:libucl:libucl:*:*:*:*:*:*:*:*, all versions of libucl are potentially affected, with specific confirmation for version 3e7f023e184e06f30fb5792dacd9dd0f8b692f1b as noted by ENISA EUVD.
RemediationAI
Users should monitor the libucl GitHub repository at https://github.com/vstakhov/libucl/issues/323 for patch releases addressing this vulnerability. As no fixed version has been announced yet, implement input validation to reject or sanitize UCL configuration files containing null bytes in keys before processing them with libucl. For Red Hat-based systems, track the security advisory at https://access.redhat.com/security/cve/CVE-2026-0708 for distribution-specific patches. Consider implementing application-level controls to limit the processing of untrusted UCL files and monitor for segmentation faults that could indicate exploitation attempts.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12534