Bug 2463159 (CVE-2026-42371)

Summary: CVE-2026-42371 uriparser: uriparser: Denial of Service via numeric truncation with oversized URIs
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbrownin, rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in uriparser. This vulnerability occurs due to numeric truncation in text range comparison when an application processes extremely long Uniform Resource Identifiers (URIs), specifically those with lengths in gigabytes. A local attacker could exploit this flaw by providing a malformed, excessively long URI, leading to a Denial of Service (DoS) condition where the application becomes unavailable.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2463209, 2463210    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-27 07:01:26 UTC
uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes.