Vulnerabilities ›

CVE-2026-2903

Low

CWE-404 — Weakness Type

                    Published: Feb 22, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

3.3

🔗 NVD Official

📄 Description (English)

A flaw has been found in skvadrik re2c up to 4.4. Impacted is the function check_and_merge_special_rules of the file src/parse/ast.cc. This manipulation causes null pointer dereference. The attack can only be executed locally. The exploit has been published and may be used. Patch name: febeb977936f9519a25d9fbd10ff8256358cdb97. It is suggested to install a patch to address this issue.

🤖 AI Executive Summary

A null pointer dereference vulnerability exists in skvadrik re2c up to version 4.4 in the check_and_merge_special_rules function. This local attack can cause denial of service but requires direct access to the affected system.

📄 Description (Arabic)

تم اكتشاف ثغرة إلغاء مؤشر فارغ في أداة skvadrik re2c الإصدار 4.4 وما قبله في دالة معالجة القواعس الخاصة. تتطلب الهجمة وصولاً محلياً مباشراً للنظام المتأثر وقد تؤدي إلى توقف التطبيق.

🤖 ملخص تنفيذي (AI)

A null pointer dereference flaw in skvadrik re2c versions up to 4.4 affects the check_and_merge_special_rules function. The vulnerability requires local access and can lead to application crashes or denial of service.

🤖 AI Intelligence Analysis Analyzed: May 30, 2026 08:02

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: medium

🏢 Affected Saudi Sectors

government telecom

🎯 MITRE ATT&CK Techniques

T1499

⚖️ Saudi Risk Score (AI)

3.0

/ 10.0

🔧 Remediation Steps (English)

Update skvadrik re2c to a version after 4.4 that includes patch febeb977936f9519a25d9fbd10ff8256358cdb97. Organizations should prioritize patching development and build systems that utilize this lexer generator tool.

🔧 خطوات المعالجة (العربية)

قم بتحديث skvadrik re2c إلى إصدار أحدث من 4.4 يتضمن التصحيح febeb977936f9519a25d9fbd10ff8256358cdb97. يجب على المؤسسات إعطاء الأولوية لتصحيح أنظمة التطوير والبناء التي تستخدم هذه الأداة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.12.6.1 A.14.2.1

🔵 SAMA CSF

ID.RA-1 PR.IP-12

🟡 ISO 27001:2022

27001:A.12.6.1 27001:A.14.2.1

🔗 References & Sources 8

🔗

https://github.com/oneafter/0202/blob/main/re/repro

cna@vuldb.com

🔗

https://github.com/skvadrik/re2c/

cna@vuldb.com

🔗

https://github.com/skvadrik/re2c/commit/febeb977936f9519a25d9fbd10ff8256358cdb97

cna@vuldb.com

🔗

https://github.com/skvadrik/re2c/issues/571

cna@vuldb.com

🔗

https://github.com/skvadrik/re2c/issues/571#issuecomment-3837675101

cna@vuldb.com

🔗

https://vuldb.com/?ctiid.347210

cna@vuldb.com

🔗

https://vuldb.com/?id.347210

cna@vuldb.com

🔗

https://vuldb.com/?submit.755030

cna@vuldb.com

📊 CVSS Score

3.3

/ 10.0 — Low

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityN — None / Network

AvailabilityL — Low / Local

📋 Quick Facts

Severity Low

CVSS Score3.3

CWECWE-404

EPSS0.01%

Exploit No

Patch ✗ No

Published 2026-02-22

Source Feed nvd

🇸🇦 Saudi Risk Score

3.0

/ 10.0 — Saudi Risk

Priority: LOW

🏷️ Tags

CWE-404

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-2903

💬 Comments

Introduce Yourself

Sign In Required