The editorconfig-core-c library, used for parsing EditorConfig files, contains a stack-based buffer overflow vulnerability (CWE-121) in the ec_glob() function in versions prior to 0.12.11. This overflow occurs because while the pcre_str buffer was protected in version 0.12.6, the adjacent l_pattern stack buffer was not, allowing crafted input to overflow the stack buffer. This vulnerability can cause applications using the library to crash when processing maliciously crafted directory structures and .editorconfig files. The issue is a partial regression of CVE-2023-0341 and has been fixed in version 0.12.11. The CVSS 4.0 score is 8.6 (high severity), reflecting local attack vector with high impact on confidentiality, integrity, and availability.

Successful exploitation can cause denial of service by crashing applications that use editorconfig-core-c due to stack-based buffer overflow. The vulnerability does not require privileges or user interaction but requires local access to provide crafted input. There is no evidence of remote exploitation or code execution from the provided data. The impact affects confidentiality, integrity, and availability at a high level due to the nature of the overflow and potential application crashes.

Version 0.12.11 of editorconfig-core-c contains the updated fix for this vulnerability. Users and developers should upgrade to version 0.12.11 or later to remediate this issue. No official remediation level or patch links are provided in the advisory, but the vendor has addressed the vulnerability in the stated version. Until upgrade, avoid processing untrusted .editorconfig files or directory structures with vulnerable versions. Patch status is not explicitly confirmed beyond the mention of version 0.12.11 containing the fix; verify with vendor sources for the latest guidance.