GHSA-qmq6-f8pr-cx5x: Duplicate Advisory: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

April 23, 2026 (updated May 5, 2026)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-w5hq-g745-h8pq. This link is maintained to preserve external references.

Original Advisory

uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue.

References

github.com/advisories/GHSA-qmq6-f8pr-cx5x
github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34
github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq
nvd.nist.gov/vuln/detail/CVE-2026-41988

Code Behaviors & Features

Detect and mitigate GHSA-qmq6-f8pr-cx5x with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →