Description
In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly sized, failing to account for the separator when determining when a write to the buffer was safe could lead to a buffer overflow. This issue is fixed in Eclipse OMR version 0.8.0.
Published: 2026-01-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution via Buffer Overflow
Action: Patch
AI Analysis

Impact

A buffer overflow can occur when the API that lists processor feature names omits the separator length in its bounds checking. The exposed input buffer, if sized incorrectly, permits a write beyond the buffer limits, which can corrupt memory and trigger arbitrary code execution. The weakness is represented by CWE-120 and CWE-131, both describing buffer overflows and incorrect size handling.

Affected Systems

Eclipse Foundation’s Eclipse OMR port library, starting from release 0.2.0, is affected. All builds prior to 0.8.0 lack the fix and are therefore vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS is below 1%, suggesting exploitation is unlikely in the near term, and the vulnerability is not listed in the KEV catalog. The vulnerability would be exploited by an attacker who can control the buffer size input to the API; the attack requires code to invoke the vulnerable function, so the risk is mainly local to instances running the affected library. The likely vector is local or compromised application code, with potential to lead to remote code execution if the application is exposed.

Generated by OpenCVE AI on April 18, 2026 at 01:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Eclipse OMR to version 0.8.0 or newer, which contains the fix for the separator handling issue.
  • Ensure that any custom code calling the processor feature retrieval API passes a correctly sized buffer, taking separator length into account.
  • Temporarily disable or restrict use of the feature enumeration API in environments that cannot be upgraded immediately, and monitor for attempts to access the function with oversized buffers.

Generated by OpenCVE AI on April 18, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Title Buffer Overflow in Eclipse OMR Processor Feature Retrieval API

Mon, 09 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CPEs cpe:2.3:a:eclipse:omr:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse omr
Vendors & Products Eclipse
Eclipse omr

Thu, 29 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
Description In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly sized, failing to account for the separator when determining when a write to the buffer was safe could lead to a buffer overflow. This issue is fixed in Eclipse OMR version 0.8.0.
Weaknesses CWE-131
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}

Subscriptions

Eclipse Omr
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-01-29T16:42:05.567Z

Reserved: 2026-01-19T13:36:58.386Z

Link: CVE-2026-1188

cve-icon Vulnrichment

Updated: 2026-01-29T16:41:51.012Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T09:16:03.560

Modified: 2026-02-09T15:20:46.133

Link: CVE-2026-1188

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:45:33Z

Weaknesses