CVE-2026-41907: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

April 22, 2026 (updated May 5, 2026)

v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). By contrast, v4, v1, and v7 explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

References

github.com/advisories/GHSA-w5hq-g745-h8pq
github.com/uuidjs/uuid
github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34
github.com/uuidjs/uuid/releases/tag/v14.0.0
github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
nvd.nist.gov/vuln/detail/CVE-2026-41907

Code Behaviors & Features

Detect and mitigate CVE-2026-41907 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →