Description
A flaw was found in libucl. A remote attacker could exploit this by providing a specially crafted Universal Configuration Language (UCL) input that contains a key with an embedded null byte. This can cause a segmentation fault (SEGV fault) in the `ucl_object_emit` function when parsing and emitting the object, leading to a Denial of Service (DoS) for the affected system.
Published: 2026-03-17
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Workaround
AI Analysis

Impact

A flaw in libucl allows a remote attacker to supply a specially crafted Universal Configuration Language (UCL) input containing a key with an embedded null byte. When parsed, the ucl_object_emit function crashes with a segmentation fault, resulting in a denial of service. The weakness is identified as CWE-125, an out‑of-bounds read that can lead to memory corruption.

Affected Systems

The vulnerability affects the libucl:libucl product. No specific version information is provided, so all versions of libucl that use the vulnerable parsing routine are potentially impacted.

Risk and Exploitability

The CVSS score of 8.3 signifies a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. A remote attacker can exploit this by sending the crafted UCL input, likely to any service that processes UCL data. The attack vector is remote, and the primary consequence is a service crash that leads to a denial of service. No additional prerequisites are mentioned, implying that the vulnerability could be triggered in normal operation when untrusted input is processed.

Generated by OpenCVE AI on March 17, 2026 at 04:20 UTC.

Remediation

Vendor Workaround

To mitigate this issue, applications utilizing `libucl` should avoid processing untrusted input that contains keys with embedded null bytes, especially when operating in `UCL_PARSER_ZEROCOPY` mode. Restricting input to trusted sources can reduce exposure.

OpenCVE Recommended Actions

  • Avoid processing untrusted input containing keys with embedded null bytes, especially in UCL_PARSER_ZEROCOPY mode.
  • Disable UCL_PARSER_ZEROCOPY mode if possible.
  • Validate or sanitize UCL input to remove embedded null bytes in keys before parsing.
  • Monitor application logs for segmentation faults and plan for service restarts if crashes occur.

Generated by OpenCVE AI on March 17, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Libucl
Libucl libucl
Vendors & Products Libucl
Libucl libucl

Tue, 17 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in libucl. A remote attacker could exploit this by providing a specially crafted Universal Configuration Language (UCL) input that contains a key with an embedded null byte. This can cause a segmentation fault (SEGV fault) in the `ucl_object_emit` function when parsing and emitting the object, leading to a Denial of Service (DoS) for the affected system.
Title Libucl: libucl: denial of service via embedded null byte in ucl input
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H'}

Subscriptions

Libucl Libucl
cve-icon MITRE

Status: PUBLISHED

Assigner: fedora

Published:

Updated: 2026-03-17T13:26:47.057Z

Reserved: 2026-01-08T03:31:35.226Z

Link: CVE-2026-0708

cve-icon Vulnrichment

Updated: 2026-03-17T13:26:35.337Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-17T04:16:07.750

Modified: 2026-03-17T14:20:01.670

Link: CVE-2026-0708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:37Z

Weaknesses