CVE-2026-0708

Summary

A flaw was found in libucl. A remote attacker could exploit this by providing a specially crafted Universal Configuration Language (UCL) input that contains a key with an embedded null byte. This can cause a segmentation fault (SEGV fault) in the ucl_object_emit function when parsing and emitting the object, leading to a Denial of Service (DoS) for the affected system.

Affected Software

VendorProductVersion RangeStatus
libucllibucl3e7f023e184e06f30fb5792dacd9dd0f8b692f1baffected

Weaknesses

  • CWE-125: Out-of-bounds Read

Workarounds

To mitigate this issue, applications utilizing libucl should avoid processing untrusted input that contains keys with embedded null bytes, especially when operating in UCL_PARSER_ZEROCOPY mode. Restricting input to trusted sources can reduce exposure.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

Additional References

References