Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41907

CVE-2026-41907: UUID Library Buffer Overflow Vulnerability

CVE-2026-41907 is a buffer overflow flaw in the UUID library for RFC9562 UUID creation that allows out-of-range writes in v3, v5, and v6 functions. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-41907 Overview

CVE-2026-41907 is an out-of-bounds write vulnerability (CWE-787) affecting the uuid package, a widely-used library for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to version 14.0.0, the v3, v5, and v6 functions accept external output buffers but fail to validate buffer boundaries, allowing silent partial writes when provided with small buffers or large offsets. This memory safety issue could lead to data corruption or potentially enable further exploitation in affected applications.

Critical Impact

Applications using uuid versions prior to 14.0.0 with external output buffers may be vulnerable to out-of-bounds writes, potentially enabling memory corruption and silent data integrity violations in security-sensitive contexts.

Affected Products

  • uuid package versions prior to 14.0.0
  • Applications using v3, v5, or v6 UUID generation functions with caller-provided buffers
  • Node.js and JavaScript/TypeScript projects depending on vulnerable uuid versions

Discovery Timeline

  • April 24, 2026 - CVE-2026-41907 published to NVD
  • April 27, 2026 - Last updated in NVD database

Technical Details for CVE-2026-41907

Vulnerability Analysis

This vulnerability represents an out-of-bounds write condition in the uuid library's UUID generation functions. The affected functions (v3, v5, and v6) are designed to allow callers to provide their own output buffers for performance optimization or integration purposes. However, these functions fail to perform adequate boundary validation before writing UUID data to the provided buffers.

When a caller provides a buffer that is too small to contain the full UUID output, or specifies an offset that would cause the write operation to exceed buffer boundaries, the functions proceed without error. This results in silent partial writes that could corrupt adjacent memory or leave buffers in an inconsistent state.

The vulnerability is particularly concerning in scenarios where uuid output is written to shared memory regions, pre-allocated buffers in security-sensitive applications, or memory structures where adjacent data integrity is critical.

Root Cause

The root cause is insufficient input validation in the v3, v5, and v6 UUID generation functions. These functions accept an optional output buffer and offset parameter but do not verify that the combination of buffer size and offset can accommodate the full 16-byte UUID output. The absence of boundary checks before write operations allows the library to write beyond the allocated buffer space or truncate output without notifying the caller.

Attack Vector

This vulnerability can be exploited via network-accessible attack vectors. An attacker who can influence the buffer or offset parameters passed to the vulnerable uuid functions could trigger out-of-bounds writes. Potential attack scenarios include:

The vulnerability is exploitable when an application accepts external input that influences buffer allocation sizes or offset values passed to uuid generation functions. In web applications or APIs that generate UUIDs based on user input while using caller-provided buffers, an attacker could craft inputs that result in undersized buffers or excessive offsets.

The silent nature of the failure makes this vulnerability particularly dangerous, as applications may continue operating with corrupted data structures without any error indication. For detailed technical information, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-41907

Indicators of Compromise

  • Unexpected application crashes or memory corruption errors in Node.js applications using uuid
  • Data integrity anomalies in systems that store UUID values generated with external buffers
  • Unusual memory access patterns or buffer-related exceptions in application logs

Detection Strategies

  • Audit application dependencies using npm audit or yarn audit to identify uuid versions prior to 14.0.0
  • Review application code for usage of v3(), v5(), or v6() functions with custom buffer and offset parameters
  • Implement software composition analysis (SCA) tools to continuously monitor for vulnerable uuid versions in your software supply chain

Monitoring Recommendations

  • Enable runtime memory protection mechanisms to detect out-of-bounds write attempts
  • Monitor application error logs for unexpected buffer or memory-related exceptions
  • Implement dependency vulnerability scanning in CI/CD pipelines to catch vulnerable uuid versions before deployment

How to Mitigate CVE-2026-41907

Immediate Actions Required

  • Upgrade the uuid package to version 14.0.0 or later immediately
  • Audit all applications using uuid for usage patterns involving external buffers with v3, v5, or v6 functions
  • Review any caller-provided buffer implementations to ensure adequate size allocation until patching is complete

Patch Information

The vulnerability is fixed in uuid version 14.0.0. This version introduces proper boundary validation for external output buffers and offset parameters in the v3, v5, and v6 functions. Organizations should update their dependencies using their package manager:

bash
# Update uuid package to the fixed version
npm update uuid@14.0.0

# Or using yarn
yarn upgrade uuid@14.0.0

For additional details on the security fix, consult the GitHub Security Advisory.

Workarounds

  • Avoid using external output buffers with v3(), v5(), and v6() functions until upgrade is possible
  • Implement application-level buffer size validation before passing buffers to uuid functions
  • Use the default buffer behavior (allowing uuid to allocate its own buffers) as a temporary mitigation
bash
# Verify installed uuid version
npm list uuid

# Lock to safe version in package.json
npm install uuid@14.0.0 --save-exact

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.