CVE-2026-0708

HighPublic PoCUpdated

Published: 17 March 2026

Published

17 March 2026

Modified

11 May 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H

EPSS Score 0.0014 33.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0708 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Vstakhov Libucl. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 33.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the libucl parsing flaw by requiring timely identification, reporting, and patching of the vulnerability causing SEGV on malformed UCL input with embedded null bytes.

SI-10 Information Input Validation good match

prevent

Requires validation of UCL inputs at parsing points to reject specially crafted inputs containing embedded null bytes before they trigger out-of-bounds reads in ucl_object_emit.

SC-5 Denial-of-service Protection good match

prevent

Implements protections to limit the effects of denial-of-service attacks, including crashes from resource exhaustion due to malformed UCL processing in libucl.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

CVE enables application exploitation to trigger endpoint DoS via crafted UCL input causing crash (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw was found in libucl. A remote attacker could exploit this by providing a specially crafted Universal Configuration Language (UCL) input that contains a key with an embedded null byte. This can cause a segmentation fault (SEGV fault) in…

the `ucl_object_emit` function when parsing and emitting the object, leading to a Denial of Service (DoS) for the affected system.

Deeper analysisAI

CVE-2026-0708 is a vulnerability in the libucl library, which handles Universal Configuration Language (UCL) parsing. The flaw occurs when processing a specially crafted UCL input containing a key with an embedded null byte, triggering a segmentation fault (SEGV) in the ucl_object_emit function during object parsing and emitting. This results in a Denial of Service (DoS) condition on affected systems. The issue is classified under CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H).

A remote attacker can exploit this vulnerability by supplying the malicious UCL input, requiring no privileges but necessitating user interaction, such as a user processing the crafted input in an application that uses libucl. Successful exploitation causes a crash leading to DoS, with potential high confidentiality impact, low integrity impact, and high availability impact as scored by CVSS.

Advisories and further details on mitigation are provided by Red Hat at https://access.redhat.com/security/cve/CVE-2026-0708 and https://bugzilla.redhat.com/show_bug.cgi?id=2427770, as well as in the libucl GitHub issue at https://github.com/vstakhov/libucl/issues/323.