{"id":"CVE-2018-19976","details":"In YARA 3.8.1, bytecode in a specially crafted compiled rule is exposed to information about its environment, in libyara/exec.c. This is a consequence of the design of the YARA virtual machine.","modified":"2026-03-15T22:25:55.774231Z","published":"2018-12-17T19:29:02Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFFXDAMP6GJ337LIOTVF5I4T6QGMN3ZR/"},{"type":"REPORT","url":"https://github.com/VirusTotal/yara/issues/999"},{"type":"EVIDENCE","url":"https://bnbdr.github.io/posts/extracheese/"},{"type":"EVIDENCE","url":"https://github.com/bnbdr/swisscheese/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/virustotal/yara","events":[{"introduced":"0"},{"last_affected":"309894830a5f9ff8cc22155d7719ea608de7bc9d"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.8.1"}]}}],"versions":["v2.0.0","v2.1.0","v3.0.0","v3.1.0","v3.2.0","v3.3.0","v3.4.0","v3.6.0","v3.7.0","v3.8.0","v3.8.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-19976.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}