#1134338 editorconfig-core: CVE-2026-40489

Package:
src:editorconfig-core
Source:
src:editorconfig-core
Submitter:
Salvatore Bonaccorso
Date:
2026-04-20 14:35:01 UTC
Severity:
normal
Tags:
#1134338#5
Date:
2026-04-18 19:33:07 UTC
From:
To:
Hi,

The following vulnerability was published for editorconfig-core.

CVE-2026-40489[0]:
| editorconfig-core-c  is an EditorConfig core library for use by
| plugins supporting EditorConfig parsing. Versions up to and
| including 0.12.10 have a stack-based buffer overflow in ec_glob()
| that allows an attacker to crash any application using
| libeditorconfig by providing a specially crafted directory structure
| and .editorconfig file. This is an incomplete fix for CVE-2023-0341.
| The pcre_str buffer was protected in 0.12.6 but the adjacent
| l_pattern[8194] stack buffer received no equivalent protection. On
| Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS).
| Version 0.12.11 contains an updated fix.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-40489
https://www.cve.org/CVERecord?id=CVE-2026-40489
[1] https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-97xg-vrcq-254h

Please adjust the affected versions in the BTS as needed.

Regards,
Salvtore

#1134338#10
Date:
2026-04-20 14:32:37 UTC
From:
To:
Hi,

I prepared a proposed bullseye-security update for CVE-2026-40489 in
editorconfig-core, based on the existing bullseye-security package
0.12.1-1.1+deb11u1.

The proposed update is 0.12.1-1.1+deb11u2 and backports the upstream
fixing commit:

https://github.com/editorconfig/editorconfig-core-c/commit/5159be88ad50641d9843289adda791ba300421ff

This addresses the incomplete CVE-2023-0341 fix by adding a bounds check
before copying pattern into the fixed-size l_pattern stack buffer in
ec_glob().

Validation performed:

  * dpkg-source -b completed successfully
  * clean bullseye pbuilder binary build completed successfully
  * lintian on the resulting .changes only reported pre-existing packaging
    issues such as obsolete Vcs fields and manpage groff warnings

The debdiff is attached.

Regards,
James