Platform
c
Component
editorconfig-core-c
Fixed in
0.12.12
CVE-2026-40489 describes a stack-based buffer overflow vulnerability found in editorconfig-core-c, a core library for EditorConfig parsing. This flaw allows an attacker to crash applications utilizing the library by providing a specially crafted directory structure and .editorconfig file, resulting in a denial-of-service condition. The vulnerability affects versions 0.12.0 up to, but not including, 0.12.11, and a fix is available in version 0.12.11.
The primary impact of CVE-2026-40489 is a denial-of-service (DoS) condition. An attacker can trigger this by crafting a malicious .editorconfig file and directory structure. When an application using editorconfig-core-c attempts to parse this crafted input, it will result in a stack overflow, causing the application to crash. While the vulnerability doesn't allow for remote code execution, the disruption caused by application crashes can be significant, especially in environments where editorconfig-core-c is widely used. On some systems like Ubuntu 24.04, FORTIFY_SOURCE mitigates the overflow to a SIGABRT, but the crash still occurs. This vulnerability is considered an incomplete fix for CVE-2023-0341, highlighting the ongoing need for careful review of EditorConfig parsing logic.
CVE-2026-40489 is related to CVE-2023-0341, representing an incomplete fix. Public proof-of-concept (PoC) code for CVE-2023-0341 may be adaptable to exploit CVE-2026-40489. The EPSS score is currently pending evaluation. This vulnerability was published on 2026-04-18. Active exploitation campaigns are not currently known, but the availability of PoCs for the related CVE-2023-0341 increases the risk of exploitation.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-40489 is to immediately upgrade to version 0.12.11 of editorconfig-core-c. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing input validation on the .editorconfig files being parsed. This could involve limiting the depth of directory traversal or restricting the size of strings processed by the library. While not a complete solution, this can reduce the attack surface. There are no specific WAF or proxy rules that can directly mitigate this vulnerability, as it occurs during parsing within the application itself. After upgrading, confirm the fix by attempting to parse a known malicious .editorconfig file (if available) or by running a test suite that covers the vulnerable code path.
Update to version 0.12.11 or later of the editorconfig-core-c library to mitigate the risk of stack buffer overflow. This update corrects the vulnerability by protecting the adjacent stack buffer that was not protected in previous versions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40489 is a vulnerability in editorconfig-core-c where a crafted .editorconfig file can cause a stack overflow, leading to application crashes and potential denial of service.
You are affected if you are using editorconfig-core-c versions 0.12.0 through 0.12.10 in your applications or systems.
Upgrade to version 0.12.11 of editorconfig-core-c. As a temporary workaround, implement input validation on .editorconfig files.
Active exploitation campaigns are not currently known, but the availability of PoCs for related vulnerabilities increases the risk.
Refer to the project's official repository or website for the latest advisory information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.