Description
A flaw has been found in skvadrik re2c up to 4.4. Impacted is the function check_and_merge_special_rules of the file src/parse/ast.cc. This manipulation causes null pointer dereference. The attack can only be executed locally. The exploit has been published and may be used. Patch name: febeb977936f9519a25d9fbd10ff8256358cdb97. It is suggested to install a patch to address this issue.
Published: 2026-02-22
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Denial of Service via null pointer dereference
Action: Apply Patch
AI Analysis

Impact

A null pointer dereference flaw exists in the check_and_merge_special_rules function within the re2c parser (files: src/parse/ast.cc) for all versions up to 4.4. This deficiency can cause the parser to crash when it encounters a malformed or unexpected rule structure, leading to a denial of service. No escalation of privileges or data disclosure is directly achievable from this code path, and the impact is confined to the local execution environment of the affected process.

Affected Systems

The vulnerability affects the re2c utility developed by skvadrik. All releases up to and including version 4.4 are susceptible. The fix is identified by commit febeb977936f9519a25d9fbd10ff8256358cdb97, and any downstream builds that incorporate this patch will no longer hit the null pointer dereference. System administrators should verify that the installed re2c package incorporates this commit or a later release.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the EPSS score is listed as less than 1%, reflecting a low probability of exploitation in the wild. The vulnerability is not catalogued in CISA’s Known Exploited Vulnerabilities list. Attackers can only exploit the flaw locally, which means that an attacker must be able to run code or control input streams on the host running re2c. Although the exploit has been published and can be used for local denial of Service, widespread automated exploitation is unlikely given the limited vector and low EPSS.

Generated by OpenCVE AI on April 17, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch commit febeb977936f9519a25d9fbd10ff8256358cdb97 to the re2c source and rebuild the library.
  • Upgrade to a re2c release that incorporates the above patch, such as any version newer than 4.4.
  • If an upgrade is not feasible, rebuild re2c with the check_and_merge_special_rules routine disabled for untrusted input contexts, thereby preventing the possibility of a null pointer dereference.

Generated by OpenCVE AI on April 17, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Skvadrik
Skvadrik re2c
Vendors & Products Skvadrik
Skvadrik re2c

Sun, 22 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in skvadrik re2c up to 4.4. Impacted is the function check_and_merge_special_rules of the file src/parse/ast.cc. This manipulation causes null pointer dereference. The attack can only be executed locally. The exploit has been published and may be used. Patch name: febeb977936f9519a25d9fbd10ff8256358cdb97. It is suggested to install a patch to address this issue.
Title skvadrik re2c ast.cc check_and_merge_special_rules null pointer dereference
First Time appeared Re2c
Re2c re2c
Weaknesses CWE-404
CWE-476
CPEs cpe:2.3:a:re2c:re2c:*:*:*:*:*:*:*:*
Vendors & Products Re2c
Re2c re2c
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Re2c Re2c
Skvadrik Re2c
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-26T16:21:15.725Z

Reserved: 2026-02-20T20:02:38.891Z

Link: CVE-2026-2903

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-02-22T01:16:00.563

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2903

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-22T00:32:09Z

Links: CVE-2026-2903 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:45:15Z

Weaknesses