| Name | CVE-2026-41988 |
| Description | uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| node-uuid (PTS) | bullseye | 8.3.2+~8.3.0-4 | vulnerable |
| bookworm | 8.3.2+~8.3.3-3 | vulnerable | |
| trixie | 8.3.2+~8.3.4-1 | vulnerable | |
| forky, sid | 14.0.0+~11.0.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| node-uuid | source | (unstable) | 14.0.0+~11.0.0-1 |
[trixie] - node-uuid <no-dsa> (Minor issue)
[bookworm] - node-uuid <no-dsa> (Minor issue)
[bullseye] - node-uuid <postponed> (Minor issue; can be fixed in next update)
https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
Fixed by: https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34 (v14.0.0)