Memory Management Flaw in Noir Language Affecting Brillig Bytecode by Noir
CVE-2026-41197

9.3CRITICAL

Key Information:

Vendor: Noir-lang
Status: Noir
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41197?

The Noir programming language has a vulnerability related to its handling of memory allocation for foreign function calls returning nested arrays. While the compiler processes the instructions correctly for simple types, it encounters issues with composite types like tuples. During memory allocation, the inner types of nested arrays are improperly accounted for, leading to under-allocation and potential corruption of the Brillig VM heap. This flaw affects users compiling to Brillig bytecode and can result in program failures when executing foreign function calls that return complex, nested data structures. Users should upgrade to version 1.0.0-beta.19 to mitigate this risk.

Affected Version(s)

noir < 1.0.0-beta.19

References

https://github.com/noir-lang/noir/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/noir-lang/noir/releases/tag/v1.0.0-bet...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41197 Data

JSON

Noir-lang

What is CVE-2026-41197?

Affected Version(s)

References

CVSS V4

Timeline