CVE-2018-17072
Description
JSON++ through 2016-06-15 contains a global-buffer-overread in yyparse() that can cause a crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JSON++ through 2016-06-15 contains a global-buffer-overread in yyparse() that can cause a crash.
Vulnerability
The JSON++ library, through the 2016-06-15 release, contains a global-buffer-overread vulnerability in the yyparse() function in json.y (line 87). The over-read occurs when the parser accesses a global variable yyleng defined in lex.yy.cc and reads 8 bytes from a 4-byte allocation, as reported by AddressSanitizer. The issue is triggered during parsing of a JSON file, as demonstrated in test.cc [1]. All versions up to and including the 2016-06-15 commit are affected.
Exploitation
An attacker can trigger the bug by providing a specially crafted JSON input file. The input is parsed by a program using the JSON++ library. The over-read does not require any special authentication or network position; it can be triggered locally by a user or remotely if the application accepts untrusted JSON data. The specific sequence involves calling parse_file() which invokes yyparse(), leading to the buffer over-read in json.y at line 87 [1].
Impact
The over-read results in reading memory adjacent to the yyleng variable. While the provided report shows a crash due to a global-buffer-overflow, the bug is strictly a buffer over-read, which can cause a denial of service (application crash) and potentially leak sensitive memory contents if the read data is used in subsequent operations. The severity depends on the application context, but at minimum it allows an attacker to cause instability.
Mitigation
No official patch has been released as of the publication date. The GitHub issue [1] has no resolution or fix committed. Users should avoid using the library for parsing untrusted JSON input until a fix is available. If the library is no longer maintained, consider switching to an actively maintained JSON parsing library.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2016-06-15
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The yyparse() function in json.y performs a buffer over-read due to improper handling of input data."
Attack vector
An attacker can trigger this vulnerability by providing a specially crafted JSON input to the application. This input causes the yyparse() function to read beyond the allocated buffer boundaries. The reference write-up indicates that this issue was observed during testing with a file, suggesting that parsing malformed JSON data from a file could lead to the over-read [ref_id=1].
Affected code
The vulnerability resides in the yyparse() function located in the json.y file. The AddressSanitizer output points to line 87, character 50, within yyparse() as the location of the buffer over-read [ref_id=1]. The issue is related to the global variable 'yyleng' defined in lex.yy.cc [ref_id=1].
What the fix does
The provided bundle does not contain information about a patch or specific remediation steps. Therefore, the advisory does not specify how the vulnerability is fixed. Users are advised to consult the vendor for updated versions or security patches.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/tunnuz/json/issues/11mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.