Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.6
EditorConfig Core Library: Crash from Malicious Directory Structure
CVE-2026-40489
Summary
Versions up to 0.12.10 of the EditorConfig core library are vulnerable to a bug that can cause a program to crash if given a specially crafted directory and configuration file. This can happen if an attacker tricks a program into looking at malicious files, but it requires them to have control over the directory structure. Update to version 0.12.11 to fix the issue.
Original title
editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that al...
Original description
editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix.
nvd CVSS4.0
8.6
Vulnerability type
CWE-121
Stack-based Buffer Overflow
CWE-787
Out-of-bounds Write
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026