Ilia, thanks for jumping in!
On 5/12/26 19:44, Ilia wrote:
> CVE-2026-44927: In uriparser before 1.0.2, there is pointer
difference
> truncation to int in various places.
From my perspective CVE-2026-44927 is a low-severity security issue
that would be hard to exploit in reality since it requires an actual
2gb+ input to even trigger. For example, in the context of PHP (which
uses the lib) you'd hit the memory limit long before this even triggers.
Therefore, this is "Low" severity from my perspective. Given the input
size, it definitely doesn't have a remote vector.
I have no problem with this being considering "low severity" based
on the payload size needed, but this /does/ have a remote vector that is
independent of size constraints, as far as I am concerned. I just
checked the definition of a remote attack vector a la CVSS [3][4] and
it's not "adjacent", not "local", and not "physical": I see nothing
stopping applications from parsing URI strings read "from the wire",
directly or indirectly, the same way that XMPP parses XML from the wire.
Am I missing something here?
Best
Sebastian
[3]
https://www.first.org/cvss/v3.0/specification-document#Exploitability-Metrics
[4]
https://www.first.org/cvss/v4.0/specification-document#Exploitability-Metrics
