CVE-2026-41907 HIGH

CVE-2026-41907: uuid: Missing buffer bounds check in `v3`/`v5`/`v6` when `buf` is provided

Vendor Uuidjs
Product uuid
Weakness CWE-823
Published April 24, 2026
Last update April 27, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.

Key dates

02Disclosure timeline

April 24, 2026 CVE published
April 27, 2026 Record updated