Github Security Report

You can find the Github security report here

CVE-2026-28207

You can find the CVE Record information here

Summary

A command injection vulnerability in the Zen-C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted output filename via the -o command-line argument.

Affected Version

v0.4.1 and below

Vulnerability Description

In src/main.c at line 591 :

 1571
 2// Compile C
 3char cmd[32768];
 4char *outfile =
 5    g_config.output_file ? g_config.output_file : (z_is_windows() ? "a.exe" : "a.out");
 6
 7char extra_c_sources[4096] = {0};
 8for (int i = 0; i < g_config.c_file_count; i++)
 9{
10    size_t len = strlen(extra_c_sources);
11    snprintf(extra_c_sources + len, sizeof(extra_c_sources) - len, " %s", g_config.c_files[i]);
12}
13
14// Build command
15build_compile_command(cmd, sizeof(cmd), outfile, temp_source_file, extra_c_sources);
16
17if (g_config.verbose)
18{
19    printf(COLOR_BOLD COLOR_BLUE "     Command" COLOR_RESET " %s\n", cmd);
20}
21
22int ret = system(cmd);

system(cmd) (from LIBC) is called and it seems that the function build_compile_command() builds char cmd[32768] buffer.

Indeed in src/utils/cmd.c, inside the function build_compile_command() at line 88 :

188
2    // Output file
3    cmd_add(&cb, "-o");
4    cmd_add(&cb, outfile);
5
6    // Input files
7    cmd_add(&cb, temp_source_file);
8    cmd_add(&cb, extra_c_sources);

cmd_add() adds to char *cmd buffer some compilation informations in it, especially const char *outfile which is the output filename.

It is pretty straightforward to see the content of char *cmd in gdb, built after build_compile_command() call :

system() function (from LIBC) will execute gcc using poorly sanitized argument string from char cmd[32768]; .
We can use a semicolon ; inside output filename to break gcc execution and execute any shell command.

PoC