CVE-2026-40489

EUVD-2026-23636
editorconfig-core-c  is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Debian logo
Debian Releases
Debian Product
Codename
editorconfig-core
bookworm
no-dsa
bullseye
postponed
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
no-dsa
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
editorconfig
Amazon Linux 2023
0:0.12.11-2.amzn2023.0.1
fixed
editorconfig-debuginfo
Amazon Linux 2023
0:0.12.11-2.amzn2023.0.1
fixed
editorconfig-debugsource
Amazon Linux 2023
0:0.12.11-2.amzn2023.0.1
fixed
editorconfig-devel
Amazon Linux 2023
0:0.12.11-2.amzn2023.0.1
fixed
editorconfig-libs
Amazon Linux 2023
0:0.12.11-2.amzn2023.0.1
fixed
editorconfig-libs-debuginfo
Amazon Linux 2023
0:0.12.11-2.amzn2023.0.1
fixed