Skip to main content

Minimatch CVE-2026-26996

HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-02-20 security-advisories@github.com GHSA-3ppc-4f35-3m26
Denial Of Service Minimatch Red Hat Suse
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 22:04 vuln.today
PoC Detected
Mar 06, 2026 - 21:32 vuln.today
Public exploit code
Patch released
Mar 06, 2026 - 21:32 nvd
Patch available
CVE Published
Feb 20, 2026 - 03:16 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 npm packages depend on minimatch (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 10.0.0.

DescriptionGitHub Advisory

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.

AnalysisAI

Minimatch versions 10.2.0 and below suffer from catastrophic backtracking in regular expression processing when glob patterns contain multiple consecutive wildcards, enabling denial of service attacks with exponential time complexity. Applications that process user-supplied glob patterns are vulnerable to CPU exhaustion, with worst-case scenarios causing indefinite hangs; public exploit code exists for this vulnerability. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft glob pattern with many consecutive * wildcards
Exploit
Pass pattern to minimatch()
Execution
Trigger exponential regex backtracking
Impact
Exhaust CPU resources causing denial of service
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions — remote unauthenticated exploitation against minimatch versions 10.2.0 and below when processing user-supplied glob patterns with consecutive wildcards followed by non-matching literal characters. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker could exploit this vulnerability to compromise the affected system.
Remediation A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all applications and dependencies using minimatch library and assess exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container rancher/elemental-channel/sl-micro:6.0-baremetal Container rancher/elemental-channel/sl-micro:6.0-base Container rancher/elemental-channel/sl-micro:6.0-kvm Container rancher/elemental-channel/sl-micro:6.0-rt Container suse/sl-micro/6.0/baremetal-iso-image:latest Container suse/sl-micro/6.0/base-iso-image:latest Container suse/sl-micro/6.0/kvm-iso-image:latest Container suse/sl-micro/6.0/rt-iso-image:latest Container suse/sl-micro/6.1/baremetal-iso-image:latest Container suse/sl-micro/6.1/base-iso-image:latest Container suse/sl-micro/6.1/kvm-iso-image:latest Container suse/sl-micro/6.1/rt-iso-image:latest Affected
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.88 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-EC2 Affected
Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Container suse/sl-micro/6.1/baremetal-os-container:latest Container suse/sl-micro/6.1/base-os-container:latest Container suse/sl-micro/6.1/kvm-os-container:latest Container suse/sl-micro/6.1/rt-os-container:latest Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SLE-Micro-BYOS-GCE Image SLE-Micro-GCE Affected
Container suse/sl-micro/6.0/toolbox:latest Affected
SUSE Liberty Linux 8 Fixed

Share

CVE-2026-26996 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy