CVE-2026-41907

About vulnerability

uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.

Affected product:

AlmaLinux 9.2 ESU , Next.js , Node.js , React , TuxCare 9.6 ESU , aws-sdk , browser-env , canvg , config-plugins , cordova-node-xcode , db0 , drizzle-orm , expo , expo-router , expo-sqlite , jQuery , javascript-test-reporter , jayson , jest , jsdom , jspdf , last-release-npm , libcipm , libnpm , loopback , loopback-connector , loopback-connector-remote , loopback-datasource-juggler , ng-packagr , nitro , npm , npm-lifecycle , npm-registry-client , nuxt , protractor , request , requestretry , sass-loader , semantic-release , sockjs , strong-remoting , styled-jsx , uuid , webdriver-manager , webpack-dev-middleware , webpack-dev-server , webpack-log , window

Affected packages:

uuid @ 3.1.0 (+177 more)

uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.