Hi,
The following vulnerability was published for editorconfig-core.
CVE-2026-40489[0]:
| editorconfig-core-c is an EditorConfig core library for use by
| plugins supporting EditorConfig parsing. Versions up to and
| including 0.12.10 have a stack-based buffer overflow in ec_glob()
| that allows an attacker to crash any application using
| libeditorconfig by providing a specially crafted directory structure
| and .editorconfig file. This is an incomplete fix for CVE-2023-0341.
| The pcre_str buffer was protected in 0.12.6 but the adjacent
| l_pattern[8194] stack buffer received no equivalent protection. On
| Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS).
| Version 0.12.11 contains an updated fix.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40489
https://www.cve.org/CVERecord?id=CVE-2026-40489
[1] https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-97xg-vrcq-254h
Please adjust the affected versions in the BTS as needed.
Regards,
Salvtore