Description
In uriparser before 1.0.2, there is pointer difference truncation to int in various places.
Published: 2026-05-08
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from pointer difference values being truncated to an int in several parts of uriparser before version 1.0.2. This truncation can lead to incorrect arithmetic, potentially causing integer overflows if the truncated value is later used in calculations. The flaw does not by itself expose confidentiality or availability, but it can compromise the integrity of URI parsing results. The weakness is classified as an integer conversion error, corresponding to CWE‑197.

Affected Systems

The affected product is uriparser, in any build prior to release 1.0.2. Applications or services that link against these older uriparser versions are potentially impacted.

Risk and Exploitability

The CVSS score of 2.9 indicates low severity. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be through crafted URI input that triggers the code paths where truncation occurs; an attacker would need to supply such input to the application using the vulnerable library, making the exploitation path difficult but not impossible.

Generated by OpenCVE AI on May 8, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uriparser to version 1.0.2 or newer, which fixes the truncation bug.
  • If an upgrade cannot be performed immediately, manually apply the patch from GitHub pull request 304 to the source before building uriparser.
  • Implement application‑level URI validation and input size checks to limit malformed input and reduce the risk of overflow during parsing.

Generated by OpenCVE AI on May 8, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 09:30:00 +0000

Type Values Removed Values Added
Title uriparser integer truncation can compromise URI parsing integrity

Fri, 08 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In uriparser before 1.0.2, there is pointer difference truncation to int in various places.
Weaknesses CWE-197
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T12:49:45.802Z

Reserved: 2026-05-08T07:13:04.287Z

Link: CVE-2026-44927

cve-icon Vulnrichment

Updated: 2026-05-08T12:49:41.852Z

cve-icon NVD

Status : Received

Published: 2026-05-08T08:16:43.973

Modified: 2026-05-08T08:16:43.973

Link: CVE-2026-44927

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T09:30:05Z

Weaknesses