CVE-2026-13574

Published: July 4, 2026Last modified: July 8, 2026

Description

A vulnerability was determined in llvm llvm-project up to 22.1.6. This impacts the function GCRelocateInst::getBasePtr in the library llvm/lib/IR/IntrinsicInst.cpp of the component Bitcode File Handler. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Severity score breakdown

ParameterValue
Base score3.3
Attack VectorLOCAL
Attack complexityLOW
Privileges requiredLOW
User interactionNONE
ScopeUNCHANGED
ConfidentialityNONE
Integrity impactNONE
Availability impactLOW
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSlldbNot affected (15.0.5-r1)
llvm15Vulnerable (15.0.5-r1)
25 LTSclang19Not affected (19.1.7-r2)
libclcNot affected (20.1.5-r0)
lld19Not affected (19.1.7-r4)
lldbNot affected (20.1.5-r0)
llvm-runtimesNot affected (20.1.5-r0)
llvm19Vulnerable (19.1.7-r2)
Streamclang19Not affected (19.1.1-r1)
clang21Not affected (21.1.2-r2)
clang22Not affected (22.1.0-r1)
libclcNot affected (17.0.6-r0)
lld19Not affected (19.1.7-r3)
lld21Not affected (21.1.2-r1)
lld22Not affected (22.1.0-r0)
lldbNot affected (15.0.5-r1)
llvm-runtimesNot affected (17.0.5-r0)
llvm19Vulnerable (19.1.1-r1)
llvm21Vulnerable (21.1.2-r1)
llvm22Vulnerable (22.1.0-r1)
wasi-compiler-rtNot affected (22.1.3-r1)

References

ON THIS PAGE