Tamilsxe Patched

On 2026‑04‑04 the TamilsXe maintainers released v2.7.3, the first patch that resolves CVE‑2026‑12345. The key changes are:

| # | Patch Detail | Code Snippet (simplified) | |---|--------------|---------------------------| | 1 | Input Length Verification before any look‑ahead. | c if (i + needed > len) return ERR_INVALID; | | 2 | Safe Copy Loop – replaced the custom memcpy with memmove_s. | c memmove_s(dst, dst_sz, src, copy_len); | | 3 | Zero‑Out Freed Buffers to prevent use‑after‑free. | c memset(buf, 0, buf_sz); free(buf); | | 4 | Additional Unit Tests covering all Unicode edge‑cases, especially ZWJ/ZWJ‑clusters. | (See tests/utf8_edge_cases.c) | | 5 | Static Analysis Integration – CI now runs Coverity and CodeQL on every PR. | N/A |

Bottom line: The patch eliminates the overflow, ensures memory is cleared before being freed, and dramatically raises the test coverage from ~73 % to >98 % for Unicode‑specific code paths. tamilsxe patched

The maintainers have already announced a roadmap that tackles three major themes:

| Theme | Planned Feature | Expected Release | |-------|----------------|-------------------| | Performance | SIMD‑accelerated UTF‑8 validation using AVX‑512 (Linux) and NEON (ARM) | Q4 2026 | | Security | Integrated Memory‑Safe Rust bindings for the core parser (while retaining the C API for legacy apps) | Q2 2027 | | Internationalization | Full Tamil‑Sanskrit transliteration engine (support for Vedic scripts) | Q3 2027 | On 2026‑04‑04 the TamilsXe maintainers released v2

These upgrades will not only harden the library further but also broaden its applicability in AI‑driven language models and voice assistants.

# Check current version
npm ls tamilsxe
# If <2.7.3, upgrade:
npm install tamilsxe@^2.7.3 --save
# Or, if you lock dependencies with Yarn:
yarn upgrade tamilsxe@^2.7.3

Tip: After upgrading, run the library’s self‑test: node -e "require('tamilsxe').selfTest()". Bottom line: The patch eliminates the overflow, ensures

| Risk | Explanation | |------|-------------| | Malware injection | Crack sites frequently bundle trojans, ransomware, or adware with the patched executable. Even if the core program works, the hidden payload can compromise your system. | | Backdoors | Modified binaries can contain hidden communication channels that report usage data back to the cracker or a third party. | | Untrusted sources | Because the files are distributed outside official channels, there is no guarantee of integrity or authenticity. | | Potential for data loss | Some patches modify file‑handling routines, which can corrupt save files, configuration data, or other user‑generated content. |

| CVE ID | Severity | CVSS v3.1 Base Score | Published | |------------|--------------|--------------------------|---------------| | CVE‑2026‑12345 | Critical | 9.8 | 2026‑03‑28 |

| Environment | Risk Before Patch | Post‑Patch Risk | |-----------------|-----------------------|---------------------| | Desktop apps (e.g., TamilsXe‑Editor, VSCode Tamil extension) | RCE via malicious document | Fixed – only denial‑of‑service (DoS) possible if an old binary is used | | Web servers (Node.js tamilsxe npm package) | RCE on any request containing crafted payload | Fixed – attacker can only cause a parsing error (handled gracefully) | | Mobile keyboards (TamilsXe‑Keyboard) | Local privilege escalation on rooted devices | Fixed – no more native code execution path | | Embedded devices (Tamil digital signage) | Potential firmware compromise | Fixed – firmware must be re‑flashed with updated library |

Note: Devices that embed an older static build (e.g., a firmware image that never updates) remain vulnerable until the manufacturer ships a new image.