CVE-2026-50643

Out‑of‑Bounds Read in 8cc

Assigner: CERT-PL
Reserved: 05.06.2026 Published: 18.06.2026 Updated: 18.06.2026

8cc is vulnerable to an Out‑of‑Bounds Read due to improper handling of #line directives and GNU linemarkers. The compiler accepts attacker-controlled filename and line number metadata and later uses it without validation when accessing source line arrays. By supplying invalid or oversized line numbers, an attacker can trigger out-of-bounds memory access and a crash.

Maintainer of this project was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Version corresponding to the commit b480958 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	rui314
Product	8cc
Versions	Default: unknown Version b480958 is affected

Vendor

rui314

Product

8cc

Versions

Default: unknown

Version b480958 is affected

Credits

Michal Majchrowicz (AFINE) finder
Marcin Wyczechowski (AFINE) finder

References

Problem Types

CWE-125 Out-of-bounds Read CWE

Impacts

CAPEC-540 Overread Buffers