Cyber Resilience

CVE-2026-0708

HighPublic PoC

Published: 17 March 2026

Published
17 March 2026
Modified
11 May 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H
EPSS Score 0.0039 30.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-0708 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Vstakhov Libucl. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-0708 is a vulnerability in the libucl library, which handles Universal Configuration Language (UCL) parsing. The flaw occurs when processing a specially crafted UCL input containing a key with an embedded null byte, triggering a segmentation fault (SEGV) in the ucl_object_emit function during object parsing and emitting. This results in a Denial of Service (DoS) condition on affected systems. The issue is classified under CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H).

A remote attacker can exploit this vulnerability by supplying the malicious UCL input, requiring no privileges but necessitating user interaction, such as a user processing the crafted input in an application that uses libucl. Successful exploitation causes a crash leading to DoS, with potential high confidentiality impact, low integrity impact, and high availability impact as scored by CVSS.

Advisories and further details on mitigation are provided by Red Hat at https://access.redhat.com/security/cve/CVE-2026-0708 and https://bugzilla.redhat.com/show_bug.cgi?id=2427770, as well as in the libucl GitHub issue at https://github.com/vstakhov/libucl/issues/323.

EU & UK References

Vulnerability details

A flaw was found in libucl. A remote attacker could exploit this by providing a specially crafted Universal Configuration Language (UCL) input that contains a key with an embedded null byte. This can cause a segmentation fault (SEGV fault) in…

more

the `ucl_object_emit` function when parsing and emitting the object, leading to a Denial of Service (DoS) for the affected system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables application exploitation to trigger endpoint DoS via crafted UCL input causing crash (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33096Shared CWE-125
CVE-2026-22023Shared CWE-125
CVE-2026-23456Shared CWE-125
CVE-2025-21598Shared CWE-125
CVE-2026-25627Shared CWE-125
CVE-2026-25942Shared CWE-125
CVE-2026-37535Shared CWE-125
CVE-2025-24265Shared CWE-125
CVE-2026-43006Shared CWE-125
CVE-2025-63650Shared CWE-125

Affected Assets

vstakhov
libucl
≤ 0.9.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the libucl parsing flaw by requiring timely identification, reporting, and patching of the vulnerability causing SEGV on malformed UCL input with embedded null bytes.

prevent

Requires validation of UCL inputs at parsing points to reject specially crafted inputs containing embedded null bytes before they trigger out-of-bounds reads in ucl_object_emit.

prevent

Implements protections to limit the effects of denial-of-service attacks, including crashes from resource exhaustion due to malformed UCL processing in libucl.

References