Buffer Overflow Vulnerability in EditorConfig Core Library by EditorConfig
CVE-2026-40489

8.6HIGH

Key Information:

Vendor

Editorconfig

Status
Editorconfig-core-c
Vendor
CVE Published:
18 April 2026

What is CVE-2026-40489?

The EditorConfig core library, essential for plugins that parse EditorConfig files, is vulnerable due to a stack-based buffer overflow in the ec_glob() function. This vulnerability permits an attacker to crash applications utilizing the library by crafting a malicious directory structure combined with a specially designed .editorconfig file. While the pcre_str buffer had some safeguards implemented in version 0.12.6, adjacent stack buffers like l_pattern[8194] remain unprotected. The consequence on systems like Ubuntu 24.04 can include application termination via SIGABRT, representing a denial-of-service scenario. Users are urged to upgrade to version 0.12.11, which addresses this issue with enhanced protection.

Affected Version(s)

editorconfig-core-c < 0.12.11

References

https://github.com/editorconfig/editorconfig-core-c/secur...
x_refsource_CONFIRM
https://github.com/editorconfig/editorconfig-core-c/commi...
x_refsource_MISC
https://github.com/editorconfig/editorconfig-core-c/relea...
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.