Cyber Resilience

CVE-2026-1188

Medium

Published: 29 January 2026

Published
29 January 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0049 38.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-1188 is a medium-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Eclipse Omr. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1188 is a buffer overflow vulnerability (CWE-131, CWE-120) in the Eclipse OMR port library component, affecting versions since release 0.2.0. The flaw resides in an API function designed to return the textual names of all supported processor features. This function fails to account for the separator inserted between processor features when determining the safety of writes to the supplied output buffer. If the buffer is incorrectly sized—neglecting space for the separator—a buffer overflow can occur.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low attack complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability. Remote, unauthenticated attackers can trigger the buffer overflow by supplying a mis-sized buffer to the affected API function, potentially leading to arbitrary code execution or system compromise depending on the context of the library's usage.

The issue is addressed in Eclipse OMR version 0.8.0. Additional details on the fix are available in the upstream pull request at https://github.com/eclipse-omr/omr/pull/8082.

EU & UK References

Vulnerability details

In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this…

more

function was incorrectly sized, failing to account for the separator when determining when a write to the buffer was safe could lead to a buffer overflow. This issue is fixed in Eclipse OMR version 0.8.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer overflow in network-reachable API enables remote unauthenticated arbitrary code execution (CVSS 9.8 AV:N).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1471Same product: Eclipse Omr
CVE-2025-67109Same vendor: Eclipse
CVE-2025-55100Same vendor: Eclipse
CVE-2026-2332Same vendor: Eclipse
CVE-2024-10838Same vendor: Eclipse
CVE-2026-24457Same vendor: Eclipse
CVE-2026-2586Same vendor: Eclipse
CVE-2026-1605Same vendor: Eclipse
CVE-2026-5795Same vendor: Eclipse
CVE-2025-0728Same vendor: Eclipse

Affected Assets

eclipse
omr
0.2 — 0.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely patching of the buffer overflow flaw in Eclipse OMR by updating to version 0.8.0, preventing remote exploitation.

prevent

Enforces memory protections such as stack guards, non-executable stacks, and ASLR to block arbitrary code execution from the buffer overflow.

prevent

Requires validation of buffer sizes and inputs to the affected API function, mitigating overflows from incorrectly sized buffers.

References