Hello Team, An update request for CVE-2026-44927 with an impact report was submitted on Sun, May 10, 9:04 AM to MITRE.
This request appears to have been processed today. Best regards, Joshua W. Windle On Tue, May 12, 2026 at 3:19 PM Sebastian Pipping <[email protected]> wrote: > Hi Alexander, > > > On 5/10/26 09:47, Solar Designer wrote: > > On Sat, May 09, 2026 at 08:18:49PM +0200, Sebastian Pipping wrote: > >> just a quick note that uriparser 1.0.2 released today is fixing > >> vulnerabilities CVE-2026-44927 and CVE-2026-44928. > > > > Thanks, but let's please be including vulnerability descriptions right > > in the postings. Also, when it's one vulnerability, its title should be > > in the Subject line. When it's more than one, then if there's a way to > > group them e.g. by category or severity, that could go into the Subject. > > > >> Some key links are: > >> > >> - The change log of release 1.0.2 > >> > https://github.com/uriparser/uriparser/blob/uriparser-1.0.2/ChangeLog > > > > This says: > > > >>>>>>>>>>>>>> SECURITY > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > > * Fixed: [CVE-2026-44927] > > Stop truncating `ptrdiff_t` to `int` > > Thanks for the report to Ilia Alshanetsky and Joshua W. Windle! > > (GitHub #304) > > * Fixed: [CVE-2026-44928] > > Fix `EqualsUri` with regard to `.absolutePath` > > Thanks for the report to Ilia Alshanetsky! (GitHub #305) > >>>>>>>>>>>>>> SECURITY > >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> > > * Fixed: Fix OOM related memory leak in `CopyUriMm` > > Thanks for the report to Ilia Alshanetsky! (GitHub #306) > > > >> - The fixing pull requests > >> - https://github.com/uriparser/uriparser/pull/304 > >> - https://github.com/uriparser/uriparser/pull/305 > >> > >> - The official CVE metadata > >> - https://nvd.nist.gov/vuln/detail/CVE-2026-44927 > >> - https://nvd.nist.gov/vuln/detail/CVE-2026-44928 > > > > These only say a little: > > > > CVE-2026-44927: In uriparser before 1.0.2, there is pointer difference > > truncation to int in various places. > > > > CVE-2026-44928: In uriparser before 1.0.2, the function family EqualsUri > > can misclassify two unequal URIs as equal. > > > > For CVE-2026-44927, it could help to clarify actual security exposure > > and impact. > > I understand. > > My understanding of the impact of the ptrdiff_t truncation > (CVE-2026-44927) was "DoS or more", and I focussed on fixing this in the > about 15 places rather than analyzing the impact in more detail. > > Ilia and Joshua considered impact more than me, and I'm BCC'ing them > so they can reply to this mail directly if they like, please do not feel > pushed. > > Let me add that the public CVSS score input for CVE-2026-44927 is > (again) mistaken; none of these are correct: > > - Attack vector: Local > - Attack complexity: High > - Availability: None > > (Seen at https://github.com/advisories/ghsa-gmxg-5w57-j63q just now.) > > Best > > > > Sebastian > >
