EditorConfig core library fixes ec_glob stack overflow crash

TL;DR — A stack-based buffer overflow in editorconfig-core-c can crash tools/editors when they parse a crafted .editorconfig inside a deeply nested attacker-controlled directory tree.

What happened

editorconfig-core-c is the C implementation of the EditorConfig parser, commonly embedded in developer tooling and editor integrations to apply formatting rules based on .editorconfig files.

CVE-2026-40489 describes a stack-based buffer overflow in ec_glob() where a pattern string can overflow a fixed-size stack buffer (l_pattern[8194]) due to an unbounded strcpy(). The CVE record characterizes this as an incomplete fix for CVE-2023-0341, where bounds checking was added for an adjacent buffer (pcre_str) but not for l_pattern.

Operationally, this is a practical crash/DoS trigger when a victim opens or processes a file located in an attacker-controlled directory structure containing a crafted .editorconfig. The CVE record notes that on Ubuntu 24.04, FORTIFY_SOURCE turns the overflow into a SIGABRT termination.

Why it matters: .editorconfig parsing is often automatic in IDEs/editors and can run in CI (lint/format pipelines) against untrusted repositories, making “malicious repo causes tool crash” a repeatable supply-chain-adjacent reliability failure mode for platform teams.

Who is impacted

• Projects and tools using editorconfig-core-c versions < 0.12.11.
• Any workflow that parses .editorconfig from untrusted sources (e.g., opening files in cloned repositories, processing archives, or CI jobs that run formatting/lint steps on external contributions).
• Environments where crashes in editor integrations or build tooling are materially disruptive (shared build agents, developer workstation baselines, or critical CI gates).

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.

  "Version 0.12.11 contains an updated fix."

• Inventory where libeditorconfig is present (editor integrations, CLI tooling, container images for build agents) and map deployed versions to the affected range.
• Treat repeated tool/editor crashes during .editorconfig evaluation as a potential signal of malicious repository content; capture the triggering path and .editorconfig for triage.
• If you must process untrusted repositories before patching, consider compensating controls such as isolating formatting/linting steps (separate sandbox/container) to reduce blast radius of parser crashes.