CVE-2026-28207
Published: 26 February 2026
Summary
CVE-2026-28207 is a medium-severity OS Command Injection (CWE-78) vulnerability in Zenc-Lang Zen C. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via malicious -o argument directly invokes system() to execute arbitrary Unix shell commands; the vulnerable compiler is abused as a trusted utility for indirect command execution.
NVD Description
Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted…
more
output filename via the `-o` command-line argument. The vulnerability existed in the `main` application logic (specifically in `src/main.c`), where the compiler constructed a shell command string to invoke the backend C compiler. This command string was built by concatenating various arguments, including the user-controlled output filename, and was subsequently executed using the `system()` function. Because `system()` invokes a shell to parse and execute the command, shell metacharacters within the output filename were interpreted by the shell, leading to arbitrary command execution. An attacker who can influence the command-line arguments passed to the `zc` compiler (like through a build script or a CI/CD pipeline configuration) can execute arbitrary commands with the privileges of the user running the compiler. The vulnerability has been fixed in version 0.4.2 by removing `system()` calls, implementing `ArgList`, and internal argument handling. Users are advised to update to Zen C version v0.4.2 or later.
Deeper analysisAI
CVE-2026-28207 is a command injection vulnerability (CWE-78) affecting the Zen C compiler, a systems programming language that compiles to human-readable GNU C/C11, in versions prior to 0.4.2. The issue resides in the main application logic within src/main.c, where the compiler constructs a shell command string by concatenating various arguments, including the user-controlled output filename provided via the -o command-line argument. This string is then executed using the system() function, which invokes a shell that interprets shell metacharacters in the filename, enabling arbitrary command execution.
Local attackers can exploit this vulnerability by influencing the command-line arguments passed to the zc compiler, such as through a build script or CI/CD pipeline configuration. No privileges are required (PR:N), though it demands local access (AV:L) and user interaction (UI:R) to run the compiler with a malicious -o argument. Successful exploitation allows execution of arbitrary shell commands with the privileges of the user running the compiler, resulting in low confidentiality and availability impacts but high integrity impact, as reflected in the CVSS v3.1 base score of 6.6 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L).
The vulnerability has been addressed in Zen C version 0.4.2 by eliminating system() calls, introducing ArgList for argument management, and handling arguments internally to prevent shell interpretation. Security advisories, including the GitHub Security Advisory at GHSA-9rff-x96h-76h2, recommend updating to version 0.4.2 or later to mitigate the issue.
Details
- CWE(s)