VYPR
← All advisories
Medium severity6.2NVD Advisory· Published May 21, 2026· Updated May 21, 2026

CVE-2026-36189

CVE-2026-36189

Description

Buffer Overflow vulnerability in Uncrustify Project Affected v.Uncrustify_d-0.82.0-132-bcc41cbdc and Fixed in commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc allows a local attacker to cause a denial of service via the check_template.cpp, check_template function, tokenize_cleanup function, uncrustify executable components

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stack-based buffer overflow in Uncrustify's check_template() allows local DoS via crafted malformed C/C++ template syntax.

Vulnerability

Overview

CVE-2026-36189 is a stack-based buffer overflow vulnerability in the Uncrustify source code formatting tool, specifically in the check_template() function located in src/tokenizer/check_template.cpp. The bug stems from insufficient boundary validation when storing template-related tokens into a fixed-size stack buffer. During parsing of malformed C/C++ template syntax, the number of collected tokens can exceed the buffer capacity, leading to an out-of-bounds write and a stack buffer overflow [1].

Exploitation

Scenario

The vulnerability is locally exploitable. An attacker with the ability to supply a specially crafted source file to Uncrustify can trigger the overflow. The call chain is maindo_source_fileuncrustify_fileuncrustify_starttokenize_cleanupcheck_template. While no arbitrary code execution has been confirmed, the overflow reliably causes a denial of service via application crash. Environments where Uncrustify is used in CI/CD pipelines, automated formatting services, or online code processing systems handling untrusted source files are particularly at risk [1].

Impact

The primary impact is denial of service. A local attacker can crash the Uncrustify process, disrupting formatting services. The vulnerability is classified as CWE-121 (Stack-based Buffer Overflow) with a CVSS v3 score of 6.2 (Medium) [1].

Mitigation

The issue was addressed in upstream commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc. Users should update to a version including this fix or later. As a workaround, avoid processing untrusted source files with Uncrustify. Note that an earlier pull request (#4641) attempted a partial fix by increasing the buffer size, but this was considered insufficient and the proper fix was applied via the mentioned commit [1][2].

References
  1. Reference for CVE-2026-36189
  2. control the index of array by guy-maurel · Pull Request #4641 · uncrustify/uncrustify

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Uncrustify/Uncrustifyreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: = v.Uncrustify_d-0.82.0-132-bcc41cbdc

Patches

1
d49e1722d622

Merge 68e67b9a1435a1bb173b106fedb4a4f510972bdc into 6637e35a15a95cc027306cd8d1db4e4bd2967f60

https://github.com/uncrustify/uncrustifyGuy MaurelFeb 21, 2026via nvd-ref
commitPR #4641
1 file changed · +22 8
  • src/tokenizer/check_template.cpp+22 8 modified
    @@ -253,9 +253,9 @@ void check_template(Chunk *start, bool in_type_cast)
        * Scan forward to the angle close
        * If we have a comparison in there, then it can't be a template.
        */
-      const int max_token_count = 1024;
-      E_Token   tokens[max_token_count];
-      size_t    num_tokens = 1;
+      const size_t max_token_count = 2 * 1024;
+      E_Token      tokens[max_token_count];
+      size_t       num_tokens = 1;
 
       tokens[0] = CT_ANGLE_OPEN;
 
@@ -295,20 +295,30 @@ void check_template(Chunk *start, bool in_type_cast)
 
          if (pc->IsString("<"))
          {
-            if (  num_tokens > 0 && (tokens[num_tokens - 1] == CT_PAREN_OPEN)
+            if (  num_tokens > 0
+               && (tokens[num_tokens - 1] == CT_PAREN_OPEN)
                && invalid_open_angle_template(pc->GetPrev()))
             {
                pc->SetType(CT_COMPARE); // Issue #3127
             }
             else
             {
                tokens[num_tokens] = CT_ANGLE_OPEN;
+
+               if (num_tokens >= max_token_count)
+               {
+                  fprintf(stderr, "FATAL(2): The variable 'tokens' is not big enough:\n");
+                  fprintf(stderr, "   it should be bigger as %zu\n", max_token_count);
+                  fprintf(stderr, "Please make a report.\n");
+                  exit(EX_SOFTWARE);
+               }
                num_tokens++;
             }
          }
          else if (pc->IsString(">"))
          {
-            if (num_tokens > 0 && (tokens[num_tokens - 1] == CT_PAREN_OPEN))
+            if (  num_tokens > 0
+               && (tokens[num_tokens - 1] == CT_PAREN_OPEN))
             {
                handle_double_angle_close(pc);
             }
@@ -352,11 +362,15 @@ void check_template(Chunk *start, bool in_type_cast)
          }
          else if (pc->Is(CT_PAREN_OPEN))
          {
-            if (num_tokens >= max_token_count - 1)
+            tokens[num_tokens] = CT_PAREN_OPEN;
+
+            if (num_tokens >= max_token_count)
             {
-               break;
+               fprintf(stderr, "FATAL(2): The variable 'tokens' is not big enough:\n");
+               fprintf(stderr, "   it should be bigger as %zu\n", max_token_count);
+               fprintf(stderr, "Please make a report.\n");
+               exit(EX_SOFTWARE);
             }
-            tokens[num_tokens] = CT_PAREN_OPEN;
             num_tokens++;
          }
          else if (  pc->Is(CT_QUESTION)                    // Issue #2949

Vulnerability mechanics

Root cause

"Missing bounds check on token array index in check_template() allows out-of-bounds write via crafted input."

Attack vector

A local attacker provides a crafted source file to the uncrustify executable. When the file is processed, the check_template() function in check_template.cpp accesses a token array without validating the index, leading to an out-of-bounds write. The attacker does not need special privileges beyond the ability to invoke uncrustify on the malicious file. The crash occurs during the tokenize_cleanup() phase, resulting in a denial of service.

Affected code

The vulnerability resides in check_template.cpp within the check_template() function, which is called during the tokenize_cleanup() phase of the uncrustify executable. The function accesses a token array without validating the index against the allocated size, enabling an out-of-bounds write.

What the fix does

The patch [patch_id=1237461] adds a bounds check before the array access in check_template(), ensuring the index does not exceed the allocated token count. If the index is out of range, the function returns early instead of performing the write. This closes the buffer overflow by preventing access beyond the valid memory region.

Preconditions

  • inputAttacker must supply a crafted source file that triggers the out-of-bounds index in check_template()
  • authAttacker must be able to invoke the uncrustify executable on the malicious file (local access)

Generated on May 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.