{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-42371", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-27T05:50:35.801Z", "datePublished": "2026-04-27T05:50:36.185Z", "dateUpdated": "2026-04-27T14:41:22.410Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "uriparser", "vendor": "uriparser", "versions": [{"lessThan": "1.0.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-197", "description": "CWE-197 Numeric Truncation Error", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-27T06:07:08.588Z"}, "references": [{"url": "https://github.com/uriparser/uriparser/pull/298"}, {"url": "https://uriparser.github.io"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T11:07:03.859190Z", "id": "CVE-2026-42371", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T11:09:51.263Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/27/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-27T14:41:22.410Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/27/2"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-27T14:41:22.410Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42371", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T11:07:03.859190Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T11:07:11.858Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "uriparser", "product": "uriparser", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/uriparser/uriparser/pull/298"}, {"url": "https://uriparser.github.io"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-197", "description": "CWE-197 Numeric Truncation Error"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-27T06:07:08.588Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42371", "state": "PUBLISHED", "dateUpdated": "2026-04-27T14:41:22.410Z", "dateReserved": "2026-04-27T05:50:35.801Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-27T05:50:36.185Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes."}], "id": "CVE-2026-42371", "lastModified": "2026-04-27T18:57:20.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 3.6, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-27T07:16:04.173", "references": [{"source": "cve@mitre.org", "url": "https://github.com/uriparser/uriparser/pull/298"}, {"source": "cve@mitre.org", "url": "https://uriparser.github.io"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/27/2"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-197"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "uriparser: uriparser: Denial of Service via numeric truncation with oversized URIs", "id": "2463159", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463159"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in uriparser. This vulnerability occurs due to numeric truncation in text range comparison when an application processes extremely long Uniform Resource Identifiers (URIs), specifically those with lengths in gigabytes. A local attacker could exploit this flaw by providing a malformed, excessively long URI, leading to a Denial of Service (DoS) condition where the application becomes unavailable."], "name": "CVE-2026-42371", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "uriparser", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "uriparser", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "uriparser", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-04-27T05:50:36Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-42371\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42371\nhttps://github.com/uriparser/uriparser/pull/298\nhttps://uriparser.github.io"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.1)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "uriparser", "source": "cna", "vendor": "uriparser"}, "product": "uriparser", "vendor": "uriparser_project"}], "analysis": {"en": {"generated_at": "2026-04-28T04:47:18.668467+00:00", "value": {"mitigation_remediation": ["Upgrade uriparser to version 1.0.1 or later.", "If an upgrade is not immediately possible, enforce a hard limit on URI length before handing it to uriparser; reject any URI larger than a reasonable threshold (e.g., 2\u202fMB).", "Review application code for other logic errors that depend on proper URI range checks and correct them; run static analysis to detect potential issues."], "summary": {"action": "Apply Patch", "impact": "Incorrect URI range comparison that could allow logic bypass"}, "threat_synthesis": {"affected_systems": "The affected component is the uriparser library, with all releases before 1.0.1. Any software that relies on this library, such as web servers or network applications that parse user supplied URIs, is susceptible. If a system integrates uriparser directly or through another layer, the vulnerability is present until the library is updated.", "description_and_impact": "uriparser versions prior to 1.0.1 contain a numeric truncation bug in the function that compares the length of a URI's textual range. When the application feeds the library a URI whose length is in the range of gigabytes, the internal counter overflows or truncates, causing the comparison to treat the long URI as within an acceptable range. This mismatch can lead to logic errors, potentially allowing an attacker to cause the application to accept malformed or oversized URIs that would otherwise be rejected.", "risk_and_exploitability": "The CVSS score is 5.1, reflecting a moderate impact. The EPSS score is less than 1\u202f%, indicating that exploitation is currently considered unlikely. It is not listed in CISA\u2019s KEV catalog. An attacker would need to supply a user\u2011controlled URI of gigabyte\u2011scale length to trigger the truncation, so the attack vector is typically local or via an application that accepts external URIs. While the bug alone may not grant arbitrary code execution, it could facilitate other vulnerabilities that depend on correct URI validation."}}}}, "created": "2026-04-27T20:00:05.353519+00:00", "title": "Numeric Truncation in URI Range Comparison in uriparser", "updated": "2026-04-28T05:00:14.731036+00:00", "vendors": ["uriparser_project", "uriparser_project$PRODUCT$uriparser"]}