The vulnerability is a stack-based buffer overflow in the ec_glob() function of the editorconfig-core-c library. The function fails to protect the l_pattern[8194] stack buffer, resulting in a stack corruption when a specially crafted directory structure and .editorconfig file are parsed. This flaw can crash any application that links libeditorconfig, provoking a SIGABRT on systems such as Ubuntu 24.04 and leading to a denial of service. Although no arbitrary code execution is reported, the defect is a classic stack-based buffer overflow (CWE-121) and an out-of-bounds write on a stack buffer (CWE-787). The issue is an incomplete fix for CVE-2023-0341 and was addressed in release 0.12.11.

The affected product is editorconfig-core-c, a core library used by plugins and applications that need EditorConfig parsing. All releases up to and including 0.12.10 are vulnerable. The library is referenced by vendor editorconfig:editorconfig-core-c. Software that statically or dynamically links libeditorconfig, such as integrated development environments, code editors, or build tools that support EditorConfig, may be impacted if they use a vulnerable library version. The fix is included in version 0.12.11; upgrading to that or later resolves the issue.

The CVSS score of 8.6 indicates a high severity vulnerability. Based on the description, it is inferred that the attack vector is local or remote if the application processes untrusted configuration files, allowing an attacker to supply a malformed .editorconfig file to trigger the overflow. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. However, the high CVSS and the nature of the stack overflow create a strong risk of denial of service in affected systems that process untrusted configuration data. The attack does not provide arbitrary code execution but can disrupt availability of the affected application.