CVE-2026-40489
Description
editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix.
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-40489? +
How do I check if I'm vulnerable to CVE-2026-40489? +
Related Vulnerabilities
Under certain circumstances the iSTAR Configuration Utility (ICU) tool could have a buffer overflow issue
A stack buffer overflow has been identified in the AsIO3.sys driver. This vulnerability can be triggered by input manipulation, may …
CWE-121: Stack-based Buffer Overflow vulnerability exists that could cause local attackers being able to exploit these issues to potentially execute …
Stack-based buffer overflow vulnerability in the 'conn-indicator' binary running as root on the TP-Link Archer AX50 router, in firmware versions …
PCSX2 is a free and open-source PlayStation 2 (PS2) emulator. A stack-based buffer overflow exists in the Kprintf_HLE function of …
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, …