| Name | CVE-2026-13573 |
| Description | A vulnerability was found in llvm llvm-project up to 22.1.6. This affects the function llvm::StringMap::insert in the library /lib/IR/ValueSymbolTable.cpp of the component ValueSymbolTable Module. The manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| llvm-toolchain-18 (PTS) | trixie | 1:18.1.8-18 | vulnerable |
| sid | 1:18.1.8-20 | vulnerable | |
| llvm-toolchain-19 (PTS) | bullseye (security) | 1:19.1.7-3~deb11u1 | vulnerable |
| bookworm | 1:19.1.7-3~deb12u1 | vulnerable | |
| trixie | 1:19.1.7-3 | vulnerable | |
| forky, sid | 1:19.1.7-22 | vulnerable | |
| llvm-toolchain-21 (PTS) | forky, sid | 1:21.1.8-7 | vulnerable |
| llvm-toolchain-22 (PTS) | forky, sid | 1:22.1.8-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| llvm-toolchain-18 | source | (unstable) | (unfixed) | unimportant | ||
| llvm-toolchain-19 | source | (unstable) | (unfixed) | unimportant | ||
| llvm-toolchain-21 | source | (unstable) | (unfixed) | unimportant | ||
| llvm-toolchain-22 | source | (unstable) | (unfixed) | unimportant |
https://github.com/llvm/llvm-project/issues/199187
Crash in CLI tool, no security impact