CVE-2018-19976Sensitive Information Exposure in Yara

CWE-200Sensitive Information Exposure10 documents7 sources
Severity
5.5MEDIUMNVD
OSV7.5
EPSS
0.1%
top 65.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Virustotal Yara
Timeline
PublishedDec 17
Latest updateMar 9

Description

In YARA 3.8.1, bytecode in a specially crafted compiled rule is exposed to information about its environment, in libyara/exec.c. This is a consequence of the design of the YARA virtual machine.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

Debianvirustotal/yara< 3.8.1-2+3
Ubuntuvirustotal/yara< 3.4.0+dfsg-2ubuntu0.1~esm1+2
NVDvirustotal/yara3.8.1

🔴Vulnerability Details

4
OSV
yara vulnerabilities2026-03-09
GHSA
GHSA-wrpm-24mf-gq6c: In YARA 32022-05-13
CVEList
CVE-2018-19976: In YARA 32018-12-17
OSV
CVE-2018-19976: In YARA 32018-12-17

📋Vendor Advisories

2
Ubuntu
YARA vulnerabilities2026-03-09
Debian
CVE-2018-19976: yara - In YARA 3.8.1, bytecode in a specially crafted compiled rule is exposed to infor...2018

💬Community

3
Bugzilla
CVE-2018-19974 CVE-2018-19975 CVE-2018-19976 yara: Multiple issues2018-12-18
Bugzilla
CVE-2018-19974 CVE-2018-19975 CVE-2018-19976 yara: Multiple issues [fedora-all]2018-12-18
Bugzilla
CVE-2018-19974 CVE-2018-19975 CVE-2018-19976 yara: Multiple issues [epel-all]2018-12-18
CVE-2018-19976 — Sensitive Information Exposure in Yara | cvebase