uriparser <1.0.2: Pointer Diff Truncation to int
CVE-2026-44927 Published on May 8, 2026
In uriparser before 1.0.2, there is pointer difference truncation to int in various places.
Vulnerability Analysis
CVE-2026-44927 can be exploited with local system access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Numeric Truncation Error
Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred.
Products Associated with CVE-2026-44927
Want to know whenever a new CVE is published for PHP? stack.watch will email you.
Affected Versions
uriparser:- Before 1.0.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.