All the <cctype> functions ( isxdigit, isalnum, etc) take an int parameter, not a char. An inspection of our codebase shows that we are passing char to them all the time, and this is incorrect and potentially UB. A negative char will be sign-extended to int, which will be outside the range [0,255]. These functions use table lookups, so this will become an access outside the lookup table bounds.

https://en.cppreference.com/w/cpp/header/cctype

Typical warning on the cppreference.com docs for such functions.
https://en.cppreference.com/w/cpp/string/byte/isalpha

Like all other functions from <cctype>, the behavior of std::isalpha is undefined if the argument's value is neither representable as unsigned char nor equal to EOF. To use these functions safely with plain chars (or signed chars), the argument should first be converted to unsigned char:

Another subtle problem with these functions is that all except isdigit and isxdigit are locale-dependent. This is rarely anticipated by callers, who are expecting "C" locale ASCII behavior. We might be better off writing wrappers for these 12 functions and lint-warning against #include <cctype> or #include <ctype.h>. The wrappers can take char, and be locale independent.