CVE-2026-3407

low-risk

Published 2026-03-02

A vulnerability was determined in YosysHQ yosys up to 0.62. This affects the function Yosys::RTLIL::Const::set of the file kernel/rtlil.h of the component BLIF File Parser. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. Applying a patch is the recommended action to fix this issue. It appears that the issue is not reproducible all the time.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.3/10 Low

LOCAL / LOW complexity

References (8)

https://github.com/YosysHQ/yosys/

https://github.com/YosysHQ/yosys/issues/5677

https://github.com/YosysHQ/yosys/pull/5680

https://github.com/YosysHQ/yosys/pull/5681

https://github.com/oneafter/0210/blob/main/yo2/repro

https://vuldb.com/?ctiid.348302

https://vuldb.com/?id.348302

https://vuldb.com/?submit.763755

/ 100

low-risk

Severity 13/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal