PatchSiren cyber security CVE debrief

CVE-2026-42371 uriparser CVE debrief

CVE-2026-42371 is a numeric truncation vulnerability in uriparser before version 1.0.1. The flaw occurs in text range comparison logic when processing URIs with lengths measured in gigabytes. An attacker could potentially trigger a denial of service condition by supplying an exceptionally large URI that causes incorrect range calculations due to integer truncation. The vulnerability requires local access with high attack complexity, and no user interaction is needed. The CVSS 3.1 score of 5.1 (MEDIUM) reflects the localized impact and difficult exploitation conditions. The weakness is categorized as CWE-197 (Numeric Truncation Error). A patch is available via pull request 298 in the uriparser GitHub repository.

Vendor: uriparser
Product: Unknown
CVSS: MEDIUM 5.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-04-27
Original CVE updated: 2026-05-18
Advisory published: 2026-04-27
Advisory updated: 2026-05-18

Who should care

Organizations running applications that use uriparser for URI parsing, particularly those accepting URIs from untrusted sources or processing data URIs that may contain large payloads. Developers integrating uriparser into network services, web applications, or data processing pipelines should prioritize patching. System administrators maintaining distributions that package uriparser should ensure updated packages are deployed.

Technical summary

The vulnerability stems from improper handling of large integer values during text range comparison operations in uriparser's URI parsing logic. When URI lengths exceed values representable in the data type used for range calculations, truncation occurs leading to incorrect comparisons. This can result in out-of-bounds access or infinite loop conditions causing application crashes. The attack requires supplying a URI with length in the gigabyte range, which imposes practical constraints on exploitation but does not eliminate the risk for services that may process large data URIs or be subject to resource exhaustion attacks. The fix in version 1.0.1 addresses the range calculation to properly handle large values without truncation.

Defensive priority

medium

Recommended defensive actions

Upgrade uriparser to version 1.0.1 or later to remediate the numeric truncation vulnerability
Review applications that accept URI input to implement reasonable length limits as a defense-in-depth measure
Monitor application logs for attempts to submit unusually large URI payloads
Assess whether uriparser is used in security-critical paths where denial of service would have significant operational impact
Subscribe to the uriparser project security announcements for future vulnerability notifications

Evidence notes

Vulnerability confirmed in NVD with status 'Analyzed'. CPE criteria specifies uriparser_project:uriparser versions prior to 1.0.1. CVSS vector AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H indicates local attack vector, high complexity, no privileges required, no user interaction, with availability impact as the primary concern.

Official resources

CVE-2026-42371 CVE record
CVE.org
CVE-2026-42371 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
Source reference
[email protected] - Product
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory

2026-04-27