Skip to main content

uriparser EUVDEUVD-2026-25776

| CVE-2026-42371 MEDIUM
Numeric Truncation Error (CWE-197)
2026-04-27 mitre
5.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
4.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 18:57 nvd
Patch available
Patch available
Apr 27, 2026 - 08:01 EUVD
Analysis Generated
Apr 27, 2026 - 06:45 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 06:30 euvd
EUVD-2026-25776
Analysis Generated
Apr 27, 2026 - 06:30 vuln.today
CVE Published
Apr 27, 2026 - 05:50 nvd
MEDIUM 5.1

DescriptionCVE.org

uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes.

AnalysisAI

uriparser before 1.0.1 suffers a numeric truncation vulnerability in text range comparison that causes denial of service when processing URIs with gigabyte-scale lengths. The flaw occurs because internal range comparisons truncate large numeric values, allowing maliciously crafted oversized URIs to bypass length validation and trigger memory exhaustion or processing failures. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft oversized URI with gigabyte-scale length claim
Delivery
Deliver to vulnerable application
Exploit
Application parses with unpatched uriparser
Execution
Numeric truncation in range check bypasses validation
Persist
Memory exhaustion or buffer access violation
Impact
Denial of service or process crash

Vulnerability AssessmentAI

Exploitation Exploitation requires three specific conditions: (1) the application must accept and forward untrusted URIs directly to uriparser without independent length validation; (2) the application must not have external limits on URI size (HTTP server limits, network layer restrictions, or application-level input bounds); and (3) the URI must contain a component with a length field exceeding integer overflow thresholds (approximately 2 GB for 32-bit signed integers or 4 GB for unsigned 32-bit). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.1 with local attack vector (AV:L), high complexity (AC:H), no privileges required, no user interaction, and universal scope (S:U) indicates a low-severity but real denial-of-service risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious URI with a component length field claiming multiple gigabytes (e.g., a crafted query string header asserting 5 GB of data). If a local application or service processes this URI without pre-validating its declared size and passes it directly to uriparser, the library's range comparison overflows, truncating the large integer. …
Remediation Upgrade uriparser to version 1.0.1 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

EUVD-2026-25776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy