{"id":"CVE-2018-19976","details":"In YARA 3.8.1, bytecode in a specially crafted compiled rule is exposed to information about its environment, in libyara/exec.c. This is a consequence of the design of the YARA virtual machine.","modified":"2026-04-11T18:21:10.095128Z","published":"2018-12-17T19:29:02Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFFXDAMP6GJ337LIOTVF5I4T6QGMN3ZR/"},{"type":"REPORT","url":"https://github.com/VirusTotal/yara/issues/999"},{"type":"EVIDENCE","url":"https://bnbdr.github.io/posts/extracheese/"},{"type":"EVIDENCE","url":"https://github.com/bnbdr/swisscheese/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/virustotal/yara","events":[{"introduced":"0"},{"last_affected":"309894830a5f9ff8cc22155d7719ea608de7bc9d"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"3.8.1"}],"cpe":"cpe:2.3:a:virustotal:yara:3.8.1:*:*:*:*:*:*:*"}}],"versions":["v2.0.0","v2.1.0","v3.0.0","v3.1.0","v3.2.0","v3.3.0","v3.4.0","v3.6.0","v3.7.0","v3.8.0","v3.8.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-19976.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}