CVE-2026-13574

Source
https://cve.org/CVERecord?id=CVE-2026-13574
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-13574.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-13574
Downstream
Published
2026-06-29T14:15:09.190Z
Modified
2026-07-11T03:54:38.297834512Z
Severity
  • 1.9 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
llvm llvm-project Bitcode File IntrinsicInst.cpp getBasePtr heap-based overflow
Details

A vulnerability was determined in llvm llvm-project up to 22.1.6. This impacts the function GCRelocateInst::getBasePtr in the library llvm/lib/IR/IntrinsicInst.cpp of the component Bitcode File Handler. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. There are still doubts about whether this vulnerability truly exists. The LLVM project explains, that the reported behavior is outside its documented security scope and therefore not considered a security vulnerability.

Database specific
{
    "cwe_ids": [
        "CWE-119",
        "CWE-122"
    ],
    "isDisputed": true,
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13574.json",
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/llvm/llvm-project

Affected ranges

Type
GIT
Repo
https://github.com/llvm/llvm-project
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "22.1.0"
        },
        {
            "last_affected": "22.1.0"
        },
        {
            "introduced": "22.1.1"
        },
        {
            "last_affected": "22.1.1"
        },
        {
            "introduced": "22.1.2"
        },
        {
            "last_affected": "22.1.2"
        },
        {
            "introduced": "22.1.3"
        },
        {
            "last_affected": "22.1.3"
        },
        {
            "introduced": "22.1.4"
        },
        {
            "last_affected": "22.1.4"
        },
        {
            "introduced": "22.1.5"
        },
        {
            "last_affected": "22.1.5"
        },
        {
            "introduced": "22.1.6"
        },
        {
            "last_affected": "22.1.6"
        }
    ]
}

Affected versions

22.*
22.1.0
22.1.1
22.1.2
22.1.3
22.1.4
22.1.5
22.1.6
llvmorg-22.*
llvmorg-22.1.0
llvmorg-22.1.1
llvmorg-22.1.2
llvmorg-22.1.3
llvmorg-22.1.4
llvmorg-22.1.5
llvmorg-22.1.6

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-13574.json"