oss-sec mailing list archives
Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928
From: Sebastian Pipping <sebastian () pipping org>
Date: Tue, 12 May 2026 20:13:21 +0200
Ilia, thanks for jumping in! On 5/12/26 19:44, Ilia wrote:
> CVE-2026-44927: In uriparser before 1.0.2, there is pointer
difference
> truncation to int in various places.
From my perspective CVE-2026-44927 is a low-severity security issue
that would be hard to exploit in reality since it requires an actual
2gb+ input to even trigger. For example, in the context of PHP (which
uses the lib) you'd hit the memory limit long before this even triggers.
Therefore, this is "Low" severity from my perspective. Given the input
size, it definitely doesn't have a remote vector.
I have no problem with this being considering "low severity" based on the payload size needed, but this /does/ have a remote vector that isindependent of size constraints, as far as I am concerned. I just checked the definition of a remote attack vector a la CVSS [3][4] and
it's not "adjacent", not "local", and not "physical": I see nothing stopping applications from parsing URI strings read "from the wire", directly or indirectly, the same way that XMPP parses XML from the wire. Am I missing something here? Best Sebastian[3] https://www.first.org/cvss/v3.0/specification-document#Exploitability-Metrics [4] https://www.first.org/cvss/v4.0/specification-document#Exploitability-Metrics
Current thread:
- uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Sebastian Pipping (May 09)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Solar Designer (May 10)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Sebastian Pipping (May 12)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Ilia (May 12)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Sebastian Pipping (May 12)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Ilia (May 12)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Sebastian Pipping (May 12)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Joshua Windle (May 12)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Solar Designer (May 10)
