CVE-2026-1188
Published: 29 January 2026
Summary
CVE-2026-1188 is a critical-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Eclipse Omr. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the buffer overflow flaw in Eclipse OMR by updating to version 0.8.0, preventing remote exploitation.
Enforces memory protections such as stack guards, non-executable stacks, and ASLR to block arbitrary code execution from the buffer overflow.
Requires validation of buffer sizes and inputs to the affected API function, mitigating overflows from incorrectly sized buffers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in network-reachable API enables remote unauthenticated arbitrary code execution (CVSS 9.8 AV:N).
NVD Description
In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this…
more
function was incorrectly sized, failing to account for the separator when determining when a write to the buffer was safe could lead to a buffer overflow. This issue is fixed in Eclipse OMR version 0.8.0.
Deeper analysisAI
CVE-2026-1188 is a buffer overflow vulnerability (CWE-131, CWE-120) in the Eclipse OMR port library component, affecting versions since release 0.2.0. The flaw resides in an API function designed to return the textual names of all supported processor features. This function fails to account for the separator inserted between processor features when determining the safety of writes to the supplied output buffer. If the buffer is incorrectly sized—neglecting space for the separator—a buffer overflow can occur.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low attack complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability. Remote, unauthenticated attackers can trigger the buffer overflow by supplying a mis-sized buffer to the affected API function, potentially leading to arbitrary code execution or system compromise depending on the context of the library's usage.
The issue is addressed in Eclipse OMR version 0.8.0. Additional details on the fix are available in the upstream pull request at https://github.com/eclipse-omr/omr/pull/8082.
Details
- CWE(s)