CVE-2026-13574
LowCVSS 3.3Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
A vulnerability was found in the LLVM project up to version 22.1.6 in the GCRelocateInst::getBasePtr function within IntrinsicInst.cpp. Manipulating input data in Bitcode file handling causes a heap-based buffer overflow. The attack can be launched locally, and the exploit has been publicly disclosed.
Risk Assessment
The organization is at risk of local code execution through crafted Bitcode files, potentially leading to system integrity compromise or unauthorized access.
Recommendation
Immediately update LLVM to a version newer than 22.1.6 once a patch is released. Until then, restrict Bitcode file processing to trusted sources only.
Original NVD description (English source)
A vulnerability was determined in llvm llvm-project up to 22.1.6. This impacts the function GCRelocateInst::getBasePtr in the library llvm/lib/IR/IntrinsicInst.cpp of the component Bitcode File Handler. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

