CVE-2026-2644 identifies an out-of-bounds read vulnerability in the minisat solver library developed by niklasso, affecting versions 2.0 through 2.2.0. The vulnerability resides in the Solver::value function located in core/SolverTypes.h, part of the DIMACS file parser component. When the function receives an argument variable index of 2147483648 (which exceeds the maximum signed 32-bit integer range), it attempts to read memory outside the allocated bounds, resulting in an out-of-bounds read condition. This flaw can be triggered by a local attacker with low privileges, as the attack vector requires local access but no elevated permissions or user interaction. The vulnerability could potentially allow an attacker to read sensitive memory contents, leading to information disclosure or cause application crashes, impacting availability. The issue was responsibly disclosed early to the project maintainers, but no patch or response has been provided yet. Although an exploit has been publicly released, there are no confirmed reports of exploitation in the wild. The vulnerability's CVSS 4.8 score reflects its medium severity, considering the local attack vector and limited impact scope. Minisat is commonly used in academic, research, and some industrial applications for SAT solving, so affected systems are primarily those running local instances of minisat for logic solving or verification tasks.

The primary impact of CVE-2026-2644 is the potential for local attackers to read memory beyond intended boundaries, which can lead to unauthorized disclosure of sensitive information stored in memory. This could include cryptographic keys, passwords, or other confidential data if minisat is used in security-critical contexts. Additionally, the out-of-bounds read may cause application instability or crashes, affecting availability of services relying on minisat. Since exploitation requires local access, remote attackers cannot directly leverage this vulnerability, limiting its scope. However, in environments where minisat is integrated into larger systems or automated workflows, a local attacker gaining foothold could escalate their capabilities or disrupt operations. The lack of vendor response and patch increases risk for organizations relying on affected versions. Overall, the impact is moderate but significant in sensitive or high-assurance environments.

To mitigate CVE-2026-2644, organizations should first identify all instances of minisat versions 2.0 through 2.2.0 deployed locally. Since no official patch is currently available, consider the following specific actions: 1) Restrict local access to systems running minisat to trusted users only, minimizing the risk of local exploitation. 2) Employ operating system-level sandboxing or containerization to limit minisat's access to memory and system resources, reducing potential damage from exploitation. 3) Monitor local system logs and behavior for anomalies indicative of attempts to exploit this vulnerability. 4) If feasible, review and modify minisat source code to add bounds checking on the variable index parameter in Solver::value, preventing out-of-bounds reads. 5) Engage with the minisat project or community to track patch releases or mitigations. 6) For critical environments, consider replacing minisat with alternative SAT solvers that have no known vulnerabilities. 7) Implement strict privilege separation and access controls to prevent unauthorized local code execution. These targeted mitigations go beyond generic advice by focusing on local access control, code review, and containment strategies.