CVE-2026-40489

NameCVE-2026-40489
Descriptioneditorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1134338

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
editorconfig-core (PTS)bullseye0.12.1-1.1vulnerable
bullseye (security)0.12.1-1.1+deb11u1vulnerable
bookworm0.12.6-0.1vulnerable
trixie0.12.9+~0.17.1-1vulnerable
forky, sid0.12.10+~0.17.1-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
editorconfig-coresource(unstable)(unfixed)1134338

Notes

https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-97xg-vrcq-254h
Fixed by: https://github.com/editorconfig/editorconfig-core-c/commit/5159be88ad50641d9843289adda791ba300421ff (v0.12.11)
Search for package or bug name: Reporting problems