CVE-2026-13574
llvm llvm-project Bitcode File IntrinsicInst.cpp getBasePtr heap-based overflow
CVSS Score
3.3
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was determined in llvm llvm-project up to 22.1.6. This impacts the function GCRelocateInst::getBasePtr in the library llvm/lib/IR/IntrinsicInst.cpp of the component Bitcode File Handler. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
| CWE | CWE-122 CWE-119 |
| Vendor | llvm |
| Product | llvm-project |
| Published | Jun 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for llvm llvm-project
Be the first to know when new low vulnerabilities affecting llvm llvm-project are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
llvm / llvm-project
22.1.0 22.1.1 22.1.2 22.1.3 22.1.4 22.1.5 22.1.6
References
vuldb.com: https://vuldb.com/vuln/374582 vuldb.com: https://vuldb.com/vuln/374582/cti vuldb.com: https://vuldb.com/cve/CVE-2026-13574 vuldb.com: https://vuldb.com/submit/844468 github.com: https://github.com/llvm/llvm-project/issues/199191 github.com: https://github.com/user-attachments/files/28142619/poc.zip github.com: https://github.com/llvm/llvm-project/
Credits
๐ TYGLS (VulDB User) VulDB CNA Team