CVE-2026-2903

LOW 3.3

skvadrik re2c ast.cc check_and_merge_special_rules null pointer dereference

CVSS Score

3.3

EPSS Score

0.0%

EPSS Percentile

0th

A flaw has been found in skvadrik re2c up to 4.4. Impacted is the function check_and_merge_special_rules of the file src/parse/ast.cc. This manipulation causes null pointer dereference. The attack can only be executed locally. The exploit has been published and may be used. Patch name: febeb977936f9519a25d9fbd10ff8256358cdb97. It is suggested to install a patch to address this issue.

CWE	CWE-476 CWE-404
Vendor	skvadrik
Product	re2c
Published	Feb 22, 2026
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for skvadrik re2c

Be the first to know when new low vulnerabilities affecting skvadrik re2c are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

skvadrik / re2c

4.0 4.1 4.2 4.3 4.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.347210 vuldb.com: https://vuldb.com/?ctiid.347210 vuldb.com: https://vuldb.com/?submit.755030 github.com: https://github.com/skvadrik/re2c/issues/571 github.com: https://github.com/skvadrik/re2c/issues/571#issuecomment-3837675101 github.com: https://github.com/oneafter/0202/blob/main/re/repro github.com: https://github.com/skvadrik/re2c/commit/febeb977936f9519a25d9fbd10ff8256358cdb97 github.com: https://github.com/skvadrik/re2c/

Credits

🔍 Oneafter (VulDB User)