CVE-2026-41988

EUVD-2026-25190
uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mitreCNA
3.2 LOW
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
uuidjsuuid
𝑥
< 14.0.0
CNA
Debian logo
Debian Releases
Debian Product
Codename
node-uuid
bookworm
no-dsa
bullseye
postponed
forky
14.0.0+~11.0.0-1
fixed
sid
14.0.0+~11.0.0-1
fixed
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-uuid
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
trusty
needs-triage
xenial
ignored
Common Weakness Enumeration
References
https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34
https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq