GHSA-7FQQ-Q52P-2JJG: Out-of-Bounds Read in OpenCC via Truncated UTF-8 Sequences
Vulnerability ID: GHSA-7FQQ-Q52P-2JJG
CVSS Score: 7.5
Published: 2026-03-29
The OpenCC (Open Chinese Convert) library prior to version 1.2.0 contains two independent heap-based out-of-bounds read vulnerabilities. These flaws reside in the UTF-8 processing logic and occur when handling malformed or truncated multi-byte character sequences. Exploitation results in denial-of-service conditions or the disclosure of adjacent heap memory.
TL;DR
OpenCC versions <= 1.1.9 fail to validate the bounds of truncated UTF-8 strings, resulting in heap out-of-bounds reads that cause DoS or information disclosure. The issue is patched in version 1.2.0 via strict length clamping.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-125
- Attack Vector: Network
- CVSS Score: 7.5
- Impact: Denial of Service / Information Disclosure
- Exploit Status: Proof of Concept available
- KEV Status: Not Listed
Affected Systems
- OpenCC (BYVoid/OpenCC)
-
OpenCC: <= 1.1.9 (Fixed in:
1.2.0)
Mitigation Strategies
- Upgrade OpenCC to version 1.2.0 or later.
- Implement strict UTF-8 input validation at the application boundary before passing strings to the OpenCC API.
- Isolate or sandbox the text conversion microservice to limit the impact of denial-of-service or information disclosure.
Remediation Steps:
- Identify all applications and services statically or dynamically linked against BYVoid/OpenCC.
- Update the OpenCC dependency to version 1.2.0 in the project's dependency management files.
- Recompile any statically linked binaries to incorporate the patched library.
- Deploy the updated applications and monitor for any text conversion regressions.
References
Read the full report for GHSA-7FQQ-Q52P-2JJG on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)