PatchSiren cyber security CVE debrief
CVE-2026-41907 Uuidjs CVE debrief
CVE-2026-41907 affects the uuidjs/uuid package used in Node.js. According to the vendor advisory and NVD, versions prior to 14.0.0 do not properly reject out-of-range writes when v3, v5, or v6 are given external output buffers, which can lead to silent partial writes into caller-provided memory. The issue was published on 2026-04-24 and updated on 2026-05-11. The fix is in 14.0.0.
- Vendor
- Uuidjs
- Product
- CVE-2026-41907
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-24
- Original CVE updated
- 2026-05-11
- Advisory published
- 2026-04-24
- Advisory updated
- 2026-05-11
Who should care
Teams using uuidjs/uuid in Node.js applications, especially code paths that call v3, v5, or v6 with caller-controlled output buffers or buffer offsets. Application owners, security engineers, and platform teams responsible for dependency upgrades should prioritize review.
Technical summary
The flaw is a bounds-handling problem in uuidjs/uuid's UUID generation routines. When external output buffers are supplied to v3, v5, or v6, the library fails to reject out-of-range writes for small buffers or large offsets. That can result in silent partial writes into caller-provided buffers instead of a safe failure. NVD cites CWE-787 and CWE-823 and assigns a CVSS 4.0 score of 8.1 (HIGH).
Defensive priority
High. The combination of network-reachable impact in the CVSS vector, no required privileges, and the possibility of memory corruption or data integrity issues in buffer-handling code makes this worth prompt remediation, especially for services that expose UUID generation through untrusted inputs or shared libraries.
Recommended defensive actions
- Upgrade uuidjs/uuid to version 14.0.0 or later.
- Inventory applications that call v3, v5, or v6 with external output buffers or non-default offsets.
- Review code for any reliance on silent partial writes and replace with explicit bounds checks or safer buffer handling.
- Add regression tests that verify out-of-range buffer sizes and offsets are rejected or handled safely.
- Pin the dependency to a fixed version and verify lockfiles/build artifacts to prevent reintroduction of affected releases.
- Track the linked vendor advisory and NVD entry for any additional guidance or scope clarifications.
Evidence notes
This debrief is based only on the supplied CVE record, NVD metadata, and the linked GitHub security advisory. The corpus states that the vulnerability is fixed in 14.0.0 and that v3, v5, and v6 are affected when using external output buffers without proper out-of-range write rejection. NVD also lists vulnerable CPE entries for uuidjs/uuid versions 11.1.1, 12.0.0, and 13.0.0, but the supplied description indicates the broader fix boundary is 14.0.0.
Official resources
-
CVE-2026-41907 CVE record
CVE.org
-
CVE-2026-41907 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory, Mitigation
Publicly disclosed on 2026-04-24 and last modified on 2026-05-11. No KEV listing was supplied in the corpus.