All affected versions of the libucl configuration parsing library
Summary
This flaw exists in the libucl Universal Configuration Language library. A remote attacker can trigger it by providing a specially crafted UCL input with an embedded null byte in a configuration key. When parsing and emitting the malicious input, the `ucl_object_emit` function experiences a segmentation fault, causing an application crash. This results in denial of service for any application using libucl to process untrusted input.
Remediation
Update libucl to the latest patched version that resolves the null byte parsing issue. If no patch is available, implement input validation to filter out configuration keys containing embedded null bytes before processing with libucl. Restrict access to applications that process untrusted UCL input to reduce exposure.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.