PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-36189 Uncrustify CVE debrief

CVE-2026-36189 describes a buffer overflow in the Uncrustify project that can let a local attacker trigger a denial of service in the uncrustify executable path. The issue is identified in check_template.cpp, including the check_template and tokenize_cleanup functions, and the supplied record says it is fixed in commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc. NVD assigns CVSS 3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, which aligns with a crash-oriented availability impact rather than data theft or code execution.

Vendor
Uncrustify
Product
uncrustify
CVSS
MEDIUM 6.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Teams that build, package, or run Uncrustify locally should pay attention, especially maintainers of developer tooling, CI formatting jobs, and distributions that vendor or backport Uncrustify. Security teams should also care if crashes in formatting or pre-commit pipelines could interrupt builds or automated checks.

Technical summary

The vulnerability is recorded as a buffer overflow in the Uncrustify code path involving check_template.cpp, check_template, tokenize_cleanup, and the uncrustify executable components. The provided CVE data frames impact as denial of service from a local attacker, with no confidentiality or integrity impact in the supplied CVSS vector. The NVD record shows the CVE as Deferred, so details may be limited in the public database entry, but the fixed commit reference indicates where the flaw was addressed.

Defensive priority

Medium priority. The issue is locally exploitable and availability-impacting, so it matters most where uncrustify is exposed to user-controlled inputs or integrated into automated workflows. It is less urgent than remote code execution issues, but it should still be patched promptly because crashes can disrupt developer and CI operations.

Recommended defensive actions

  • Update Uncrustify to a build that includes commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc.
  • If you maintain downstream packages or a fork, verify the fix has been merged or backported.
  • Review CI, pre-commit, and batch formatting jobs that invoke uncrustify on locally supplied content so crash impact is understood and contained.
  • After patching, rerun formatting or parser-related test coverage to confirm the fix is present in the shipped binary.
  • Track the CVE in vulnerability management systems as an availability issue with local attack requirements.

Evidence notes

All claims here are limited to the supplied CVE/NVD corpus. The CVE description states: buffer overflow in Uncrustify, affected version Uncrustify_d-0.82.0-132-bcc41cbdc, fixed in commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc, and local attacker can cause denial of service via check_template.cpp, check_template, tokenize_cleanup, and the uncrustify executable components. NVD metadata adds CVSS v3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, weakness CWE-120, and vulnStatus Deferred.

Official resources

Published 2026-05-21T15:16:24.500Z; modified 2026-05-21T16:16:22.890Z. The supplied record indicates the CVE was already public on that date, and this debrief uses those CVE dates rather than any generation or review timestamp.