EUVD-2026-35009
GHSA-8hjh-2xhj-mx62
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in kokke tiny-regex-c up to f2632c6d9ed25272987471cdb8b70395c2460bdb. This vulnerability affects the function matchstar of the file re.c of the component Pattern Handler. This manipulation causes inefficient regular expression complexity. The attack is restricted to local execution. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
ReDoS (Regular Expression Denial of Service) in kokke tiny-regex-c up to commit f2632c6d9ed25272987471cdb8b70395c2460bdb allows local low-privileged attackers to cause availability degradation by supplying crafted input to the matchstar function in re.c, triggering exponential backtracking in the pattern handler. A public proof-of-concept exploit (tiny-regex-c-redos-poc.zip) has been published, though no vendor patch exists and the project maintainer has not responded to the responsible disclosure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local system access with at least a low-privilege user account (CVSS AV:L, PR:L) - there is no network-based attack path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 1.9 accurately reflects a tightly constrained threat: AV:L (local access required, no network exploitation path), PR:L (low-privilege attacker account needed), AC:L (no special conditions beyond access), and impact limited to VA:L (low availability degradation - not a full crash or system-wide DoS). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with a low-privilege account on a system running an application that embeds tiny-regex-c crafts a regex pattern and input string specifically designed to trigger worst-case backtracking in `matchstar` - for example, a pattern like `(a+)+` against an input of repeated 'a' characters followed by a non-matching character. The application's processing thread spins consuming CPU, degrading or stalling the service for other users. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the project maintainer has not responded to the vulnerability report filed at https://github.com/kokke/tiny-regex-c/issues/100. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today