CVE Catalog

CVE-2026-13502

MediumCVSS 4.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.09%

1th percentile — higher than 1% of all known CVEs

Summary

A time-of-check time-of-use (TOCTOU) vulnerability has been found in ANTLR4 up to version 4.13.2 in the ObjectInputStream.readObject function of the GrammarDependencies.java file in the Maven Plugin component. The attack requires local access and is difficult to exploit, but an exploit has been published.

Risk Assessment

The organization may face local privilege escalation or data integrity issues if an attacker gains system access and successfully exploits the race condition between resource check and use.

Recommendation

Immediately update ANTLR4 to a version newer than 4.13.2 and monitor for an official patch from the vendor. Until then, restrict local access to systems using this component.

Original NVD description (English source)

A flaw has been found in antlr ANTLR4 up to 4.13.2. This affects the function ObjectInputStream.readObject of the file antlr4-maven-plugin/src/main/java/org/antlr/mojo/antlr4/GrammarDependencies.java of the component Maven Plugin. This manipulation causes time-of-check time-of-use. The attack is restricted to local execution. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS