High severityNVD Advisory· Published Apr 18, 2026· Updated Apr 20, 2026
CVE-2026-40489
CVE-2026-40489
Description
editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
6(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=0.12.10
- osv-coords4 versionspkg:rpm/opensuse/editorconfig-core-c&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/editorconfig-core-c&distro=openSUSE%20Tumbleweedpkg:rpm/suse/editorconfig-core-c&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/editorconfig-core-c&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 0.12.9-160000.3.1+ 3 more
- (no CPE)range: < 0.12.9-160000.3.1
- (no CPE)range: < 0.12.11-1.1
- (no CPE)range: < 0.12.9-160000.3.1
- (no CPE)range: < 0.12.9-160000.3.1
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.