Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix.
AnalysisAI
Stack-based buffer overflow in editorconfig-core-c library (versions ≤0.12.10) enables local attackers to crash applications or potentially execute arbitrary code via maliciously crafted .editorconfig files and directory structures. This incomplete fix for CVE-2023-0341 left the l_pattern[8194] stack buffer unprotected while only addressing the pcre_str buffer in version 0.12.6. Patched in version 0.12.11. No active exploitation confirmed (not in CISA KEV), but publicly exploitable with local access and minimal complexity (CVSS AV:L/AC:L/PR:N).
Technical ContextAI
EditorConfig is a widely-adopted configuration system used by text editors and IDEs to maintain consistent coding styles across projects. The editorconfig-core-c library (CPE: cpe:2.3:a:editorconfig:editorconfig-core-c) provides the parsing engine for .editorconfig files. The vulnerability resides in the ec_glob() function, where the l_pattern[8194] static stack buffer lacks bounds checking during pattern matching operations. This is classified as CWE-121 (Stack-based Buffer Overflow), a memory safety issue allowing writes beyond allocated buffer boundaries. The vulnerability represents an incomplete remediation of CVE-2023-0341 - while the earlier patch protected the pcre_str buffer in version 0.12.6, the adjacent l_pattern buffer remained vulnerable. On systems with FORTIFY_SOURCE protections (standard in Ubuntu 24.04 and modern Linux distributions), the overflow triggers SIGABRT, resulting in application crash (DoS). On systems without these protections, arbitrary code execution becomes theoretically possible depending on stack layout and exploit sophistication.
RemediationAI
Upgrade editorconfig-core-c to version 0.12.11 or later, which contains the complete fix for the l_pattern buffer overflow (commit 5159be88ad50641d9843289adda791ba300421ff). Organizations should identify all applications using libeditorconfig through dependency scanning and update accordingly. Release details: https://github.com/editorconfig/editorconfig-core-c/releases/tag/v0.12.11. For systems where immediate patching is not feasible, implement compensating controls: (1) Restrict processing of .editorconfig files to trusted sources only - configure IDEs/editors to ignore .editorconfig in untrusted repositories or require manual approval before parsing, understanding this breaks automatic style enforcement; (2) Deploy on systems with FORTIFY_SOURCE enabled (standard in Ubuntu 24.04+, RHEL 9+, Fedora 35+) to downgrade exploitation from code execution to denial-of-service, though this only mitigates severity and does not eliminate the vulnerability; (3) In CI/CD environments, run builds in isolated containers with limited privileges to contain potential exploitation impact; (4) Monitor for unexpected application crashes (SIGABRT) when processing repositories, which may indicate exploitation attempts. Trade-offs: Disabling .editorconfig processing eliminates automatic code style consistency; container isolation adds pipeline complexity and resource overhead. Verify patch deployment by checking library version in dependent applications and testing with known-malicious .editorconfig patterns if safe test environments are available.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Development Tools 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Development Tools 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23636