CVE-2026-3407

low

Published 2026-03-02 · Modified 2026-04-29

CVSS v3

3.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVSS v2

1.7

VIR risk

3.3

Description

A vulnerability was determined in YosysHQ yosys up to 0.62. This affects the function Yosys::RTLIL::Const::set of the file kernel/rtlil.h of the component BLIF File Parser. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. Applying a patch is the recommended action to fix this issue. It appears that the issue is not reproducible all the time.

Predictions

Exploit likelihood

34%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

References

https://github.com/YosysHQ/yosys/
https://github.com/YosysHQ/yosys/issues/5677
https://github.com/YosysHQ/yosys/pull/5680
https://github.com/YosysHQ/yosys/pull/5681
https://github.com/oneafter/0210/blob/main/yo2/repro
https://vuldb.com/?ctiid.348302
https://vuldb.com/?id.348302
https://vuldb.com/?submit.763755

CWEs

CWE-119 CWE-122

Verify integrity in audit chain (admin only). AS-IS.