CVE-2026-2644 identifies an out-of-bounds read vulnerability in the niklasso minisat SAT solver library, affecting versions 2.0 through 2.2.0. The vulnerability resides in the Solver::value function located in core/SolverTypes.h, part of the DIMACS File Parser component. Specifically, when the argument variable index is manipulated with the value 2147483648 (2^31), it causes the function to read memory outside the bounds of allocated data structures. This can lead to unintended information disclosure or potentially cause application crashes due to invalid memory access. The attack vector requires local access with low privileges (PR:L), no user interaction, and no authentication bypass. The CVSS 4.0 score of 4.8 reflects a medium severity, considering the limited attack surface and the need for local exploitation. The vulnerability was responsibly disclosed early to the project, but no patch or response has been issued yet. Although no known exploits in the wild have been reported, a proof-of-concept exploit is publicly available, increasing the risk of exploitation in environments where minisat is used. Minisat is commonly employed in academic research, formal verification, and constraint solving tasks, often integrated into larger software systems. The lack of vendor response and patch availability necessitates proactive mitigation by users.

For European organizations, the impact of CVE-2026-2644 depends on the deployment context of minisat. Since exploitation requires local access, the primary risk is to systems where minisat is installed and accessible by untrusted local users or processes. Potential impacts include unauthorized information disclosure through memory reads and application instability or crashes, which could disrupt dependent workflows or services. In sectors such as academia, research institutions, and industries relying on formal verification or constraint solving (e.g., automotive, aerospace, telecommunications), this vulnerability could undermine the integrity and availability of critical analysis tools. While the vulnerability does not directly enable remote code execution or privilege escalation, it could be leveraged as part of a multi-stage attack. The absence of a patch and the availability of public exploits increase the urgency for European entities to assess their exposure and implement mitigations. Organizations with strict local access controls and monitoring may face limited risk, but those with shared or less controlled environments should prioritize remediation efforts.

1. Restrict local access to systems running minisat to trusted users only, enforcing strict user permissions and access controls. 2. Monitor system logs and usage patterns for unusual or unauthorized invocation of minisat, especially with suspicious input parameters. 3. If feasible, isolate minisat execution environments using containerization or sandboxing to limit the impact of potential exploitation. 4. Review and audit any custom integrations or scripts that invoke minisat to ensure they validate input parameters and do not allow untrusted input to reach the vulnerable function. 5. Consider applying source code patches or workarounds if available from the community or security researchers until an official vendor patch is released. 6. Maintain up-to-date backups and incident response plans to quickly recover from potential crashes or data exposure incidents. 7. Engage with the minisat project or community to encourage timely patch development and dissemination. 8. Educate local users about the risks of running untrusted code or inputs on systems hosting minisat.