CVE-2026-41988

low-risk
Published 2026-04-23

uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue.

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.2/10 Low
LOCAL / HIGH complexity

References (3)

https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34
https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
13
/ 100
low-risk
Severity 8/34 · Low
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal