Description
8cc is vulnerable to an Out‑of‑Bounds Read due to improper handling of #line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays.
By supplying invalid or oversized line numbers, an attacker can trigger out-of-bounds memory access and a crash.

Maintainer of this project was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Version corresponding to the commit b480958 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
Published: 2026-06-18
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malformed #line directive or GNU line marker in source files allows the 8cc compiler to perform an out‑of‑bounds read. By providing an attacker‑controlled filename and an excessively large line number, the compiler later indexes into its source line array without bounds checking, resulting in a crash. The vulnerability does not provide a code execution path or data disclosure.

Affected Systems

The vulnerability is limited to the 8cc compiler distributed by rui314. The commit identified as vulnerable is b480958, and while no formal version range is published, any compile that processes #line directives and the GNU linemarkers feature may be affected.

Risk and Exploitability

The CVSS score of 5.1 places the issue in the medium severity range, and the EPSS score of fewer than one percent indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to supply a specially crafted source file during compilation; impact is limited to the compilation environment and results in a denial of service by terminating the compiler.

Generated by OpenCVE AI on June 18, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check whether your 8cc version corresponds to the vulnerable commit or newer; obtain and apply any vendor‑issued patch if available.
  • If no patch exists, avoid using #line directives or other GNU linemarkers in source files that are compiled with this version of 8cc.
  • Monitor vendor advisories and the project’s repository for an official fix, and plan to upgrade once it becomes available.

Generated by OpenCVE AI on June 18, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description 8cc is vulnerable to an Out‑of‑Bounds Read due to improper handling of #line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays. By supplying invalid or oversized line numbers, an attacker can trigger out-of-bounds memory access and a crash. Maintainer of this project was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Version corresponding to the commit b480958 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
Title Out‑of‑Bounds Read in 8cc
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-18T12:29:43.415Z

Reserved: 2026-06-05T13:27:10.270Z

Link: CVE-2026-50643

cve-icon Vulnrichment

Updated: 2026-06-18T12:27:32.712Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:15:02Z

Weaknesses