Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.4, a stack-based buffer overflow vulnerability in the Zen C compiler allows attackers to cause a compiler crash or potentially execute arbitrary code by providing a specially crafted Zen C source file (.zc) with excessively long struct, function, or trait identifiers. Users are advised to update to Zen C version v0.4.4 or later to receive a patch.
AnalysisAI
The Zen C compiler (versions prior to 0.4.4) crashes or enables arbitrary code execution when processing maliciously crafted .zc source files containing excessively long identifiers for structs, functions, or traits, triggering a stack-based buffer overflow (CWE-121). A proof-of-concept exploit exists per SSVC assessment, though attack complexity remains moderate as it requires local access and user interaction (CVSS:3.1/AV:L/AC:L/PR:N/UI:R). Vendor-released patch: version 0.4.4.
Technical ContextAI
Zen C is a systems programming language that transpiles to human-readable GNU C/C11 code. The vulnerability (CWE-121: Stack-based Buffer Overflow) resides in the compiler's identifier parsing logic, where insufficient bounds checking allows attackers to overflow stack-allocated buffers during compilation of source files. The affected product is identified via CPE cpe:2.3:a:zenc-lang:zenc:*:*:*:*:*:*:*:* covering all versions prior to 0.4.4. Stack-based buffer overflows occur when data written to a buffer exceeds its allocated stack memory region, potentially overwriting return addresses or function pointers to redirect program execution. In this compiler context, the overflow occurs during the compilation phase rather than in compiled output, making the compiler itself the attack surface.
RemediationAI
Upgrade Zen C compiler to version 0.4.4 or later to receive the vendor-released patch addressing the stack buffer overflow, as documented in the GitHub security advisory at https://github.com/zenc-lang/zenc/security/advisories/GHSA-rv74-w6q7-h8xr. Organizations unable to immediately upgrade should implement compensating controls including restricting compilation to trusted source files only, implementing code review processes for all .zc files before compilation, and isolating compiler execution in sandboxed or containerized environments with limited privileges. Continuous integration pipelines should validate source file identifier lengths before compilation and consider implementing automated static analysis to detect suspicious patterns in source files prior to compiler invocation.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16319