Description
uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue.
Published: 2026-04-23
Score: 3.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Potential arbitrary memory write due to unexpected data writes
Action: Assess
AI Analysis

Impact

A buffer misuse in uuid before 14.0.0 allows unexpected writes to memory when an external output buffer is supplied with UUID versions 3, 5, or 6. This qualifies as an out‑of‑bounds write (CWE‑787) and a write error (CWE‑670) that can corrupt application data or cause abnormal termination. The flaw is limited to the mentioned UUID versions; the widely used UUID version 4 is unaffected.

Affected Systems

The vulnerability affects the uuidjs:uuid library in all releases prior to 14.0.0. Any project that imports that library and requests a UUID of version 3, 5, or 6 while providing an external output buffer is potentially vulnerable.

Risk and Exploitability

The CVSS base score is 3.2, indicating low severity, and the EPSS score is less than 1 %, highlighting a very low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires that an attacker can supply a known external buffer and choose a vulnerable UUID version – typically through application code that directly calls the library with user‑controlled parameters.

Generated by OpenCVE AI on April 28, 2026 at 14:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uuidjs:uuid to version 14.0.0 or later
  • Avoid supplying external output buffers when generating UUIDs of versions 3, 5, or 6
  • Use the library’s default return value instead of external buffers, or switch to a different UUID library that does not exhibit this flaw

Generated by OpenCVE AI on April 28, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Uuidjs
Uuidjs uuid
Vendors & Products Uuidjs
Uuidjs uuid

Sun, 26 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title uuid: uuid: Unexpected data writes when using external output buffers with specific UUID versions
Weaknesses CWE-787
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 23 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Description uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue.
Weaknesses CWE-670
References
Metrics cvssV3_1

{'score': 3.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Uuidjs Uuid
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-23T16:22:56.684Z

Reserved: 2026-04-23T04:00:54.532Z

Link: CVE-2026-41988

cve-icon Vulnrichment

Updated: 2026-04-23T14:48:58.864Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-23T05:16:05.613

Modified: 2026-04-24T14:50:56.203

Link: CVE-2026-41988

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-23T04:00:54Z

Links: CVE-2026-41988 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses