Full Report
Out-of-bounds Read vulnerability (CVE-2026-50643) has been found in 8cc compiler.
Analysis Summary
# Vulnerability: Out-of-bounds Read in 8cc Compiler
## CVE Details
- **CVE ID:** CVE-2026-50643
- **CVSS Score:** Not explicitly provided in the report (Calculated Severity: Moderate/High based on impact)
- **CWE:** CWE-125 (Out-of-bounds Read)
## Affected Systems
- **Products:** 8cc compiler (developed by rui314)
- **Versions:** Commit `b480958` (Confirmed); other versions are potentially vulnerable but remain untested.
- **Configurations:** Systems utilizing the 8cc compiler to process C source files containing `#line` directives or GNU linemarkers.
## Vulnerability Description
8cc is vulnerable to an Out-of-bounds Read flaw stemming from the improper handling of `#line` directives and GNU linemarkers. The compiler allows for attacker-controlled filename and line number metadata within these directives. Because the software fails to validate this metadata before using it to access source line arrays, an attacker can provide invalid or oversized line numbers to trigger an out-of-bounds memory access.
## Exploitation
- **Status:** PoC availability confirmed via report coordination; no current evidence of exploitation in the wild.
- **Complexity:** Medium (Requires crafted source code input).
- **Attack Vector:** Local (The attacker must provide a malicious source file to be compiled).
## Impact
- **Confidentiality:** Low/Medium (Potential memory disclosure).
- **Integrity:** None.
- **Availability:** Medium/High (Triggers a compiler crash/Denial of Service).
## Remediation
### Patches
- At the time of the advisory publication (June 18, 2026), no specific patch has been released. The maintainer was notified but did not provide vulnerability details or a fixed version.
### Workarounds
- **Input Validation:** Manually audit or sanitize C source files to ensure `#line` directives do not contain abnormal or excessively large values before compilation.
- **Compiler Substitution:** Consider using alternative, actively maintained C compilers (e.g., GCC or Clang) for production environments.
## Detection
- **Indicators of Compromise:** Unexpected crashes of the `8cc` binary during the compilation process of third-party source code.
- **Detection Methods:** Static analysis of source files for suspicious `#line` or linemarker directives. Security scanners like **Artemis** or custom grep rules can be used to identify these patterns in automated pipelines.
## References
- **CERT Polska Advisory:** hxxps[://]cert[.]pl/en/posts/2026/06/vulnerability-in-8cc-compiler/
- **CVE Record:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-50643
- **Project Repository:** hxxps[://]github[.]com/rui314/8cc