I’m a Vulnerability Analyst at VulnCheck, an exploit intelligence company and research CVE Numbering Authority (CNA), where I'm one of several folks who manage our coordinated vulnerability disclosure (CVD) program.
An external security researcher recently reported a vulnerability (https://www.vulncheck.com/advisories/report) impacting X5000R, and VulnCheck is acting as the intermediary and coordinator.
We are interested in determining whether you all are able to reproduce these issues and whether you agree with the researcher's assessment of the overall security impact. For context, these vulnerabilities were discovered via static analysis of the project's source code.
VulnCheck follows a 120-day disclosure policy, meaning we afford vendors/maintainers up to 120 days from the time of receiving the report to address the issues before publication of CVE records and third-party advisories. For these vulnerabilities, that 120-day deadline falls on September 17, 2026.
We have provisionally allocated the following CVE ID, which have been shared with the researcher but will remain private until public disclosure
CVE-2026-9146 - json-c 0.18.99 Use-After-Free via json_object_iterator Concurrent Modification
If interested in VulnCheck's previous disclosures, you may find them here (https://www.vulncheck.com/advisories).
Let us know if you have any questions for us about the CVD process or for the researcher regarding the reported vulnerabilities
Coordinated Vulnerability Disclosure - json-c.pdf
I’m a Vulnerability Analyst at VulnCheck, an exploit intelligence company and research CVE Numbering Authority (CNA), where I'm one of several folks who manage our coordinated vulnerability disclosure (CVD) program.
An external security researcher recently reported a vulnerability (https://www.vulncheck.com/advisories/report) impacting X5000R, and VulnCheck is acting as the intermediary and coordinator.
We are interested in determining whether you all are able to reproduce these issues and whether you agree with the researcher's assessment of the overall security impact. For context, these vulnerabilities were discovered via static analysis of the project's source code.
VulnCheck follows a 120-day disclosure policy, meaning we afford vendors/maintainers up to 120 days from the time of receiving the report to address the issues before publication of CVE records and third-party advisories. For these vulnerabilities, that 120-day deadline falls on September 17, 2026.
We have provisionally allocated the following CVE ID, which have been shared with the researcher but will remain private until public disclosure
CVE-2026-9146 - json-c 0.18.99 Use-After-Free via json_object_iterator Concurrent Modification
If interested in VulnCheck's previous disclosures, you may find them here (https://www.vulncheck.com/advisories).
Let us know if you have any questions for us about the CVD process or for the researcher regarding the reported vulnerabilities
Coordinated Vulnerability Disclosure - json-c.pdf