CVE-2025-40843

Name of the Vulnerable Software and Affected Versions CodeChecker versions through 6.26.1

Description CodeChecker versions up to 6.26.1 contain a buffer overflow in the internal ldlogger library, triggered when executing the CodeChecker log command. The issue stems from the unsafe use of the strcpy() function without length checks, allowing an attacker to overrun a stack-allocated buffer of 4096 bytes by providing crafted inputs via the command line. An example script demonstrates exploitation by supplying a payload exceeding the buffer's capacity to the CodeChecker log command with the -b option. Environments executing the vulnerable CodeChecker log command with untrusted user input are affected. The API endpoint involved is /very/long/path/to/$payload/gcc a.c, where payload is a crafted input.

Recommendations Versions prior to 6.26.1 should be updated.