CVE-2026-0708

Published: Mar 17, 2026Modified: May 11, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

A flaw was found in libucl. A remote attacker could exploit this by providing a specially crafted Universal Configuration Language (UCL) input that contains a key with an embedded null byte. This can cause a segmentation fault (SEGV fault) in the `ucl_object_emit` function when parsing and emitting the object, leading to a Denial of Service (DoS) for the affected system.

Affected (1)

Products: Vstakhov: Libucl

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Vstakhov Libucl	Up to 0.9.4

Related CWEs

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

References (4)

https://access.redhat.com/security/cve/CVE-2026-0708

Source: patrick@puiterwijk.org

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2427770

Source: patrick@puiterwijk.org

Third Party AdvisoryIssue Tracking

https://github.com/vstakhov/libucl/issues/323

Source: patrick@puiterwijk.org

Issue TrackingVendor AdvisoryExploit

https://github.com/vstakhov/libucl/issues/323

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Issue TrackingVendor AdvisoryExploit

Timeline

No history available yet.