Skip to main content

MDEx CVE-2026-53428

| EUVDEUVD-2026-40175 MEDIUM
Memory Allocation with Excessive Size Value (CWE-789)
2026-06-29 EEF
6.9
CVSS 4.0 · Vendor: EEF
Share

Severity by source

Vendor (EEF) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Attack is delivered over the network via submitted Markdown; no auth or interaction needed; BEAM crash terminates all co-tenant sessions, constituting a scope change beyond the library component.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 19:22 vuln.today

DescriptionCVE.org

Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.

comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block's highlight_lines decorator into a Vec<usize>, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines="1-100000000", forcing the native adapter to allocate roughly 8 bytes per line in the range.

A payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.

The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.

This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.

AnalysisAI

Unbounded memory allocation in the MDEx Elixir Markdown rendering library allows a remote unauthenticated attacker to exhaust host memory and crash the BEAM virtual machine by submitting a single crafted fenced code block with an oversized highlight_lines range. Any application that renders user-supplied Markdown through MDEx.to_html/2 - such as a comment box, chat message, or wiki page - is exposed; a payload differing by only a few bytes can force hundreds of megabytes to gigabytes of allocation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts Markdown payload with oversized highlight_lines range
Delivery
Submits payload via public content form (comment, chat, wiki)
Exploit
Application passes unsanitized Markdown to MDEx.to_html/2
Execution
Native NIF allocates unbounded Vec<usize> in Rust heap
Persist
Host memory exhausted or BEAM abort signal triggered
Impact
Entire application process crashes, all active users denied service

Vulnerability AssessmentAI

Exploitation The vulnerability is triggered when all of the following conditions are met: (1) the application calls MDEx.to_html/2 or an equivalent MDEx rendering function with user-controlled Markdown content; (2) the Markdown contains a fenced code block whose info string includes the `highlight_lines` decorator with a large integer range, e.g., `highlight_lines="1-2000000000"`; and (3) the application does not sanitize or cap the fenced code block info string before passing it to MDEx. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.0 score of 6.9 uses AV:L (Local attack vector), which appears to reflect the NIF library's invocation context as a process-local component rather than the realistic end-to-end attack path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker posts a comment on a web forum powered by an Elixir application using MDEx, embedding a fenced code block with the info string `rust highlight_lines="1-2000000000"` - a payload indistinguishable in length from a legitimate code block. When the server renders the page (server-side or on any user request), the MDEx NIF materializes approximately 16 GB of Vec<usize> allocation, exhausting host memory and aborting the BEAM process, taking the entire application offline for all concurrent users. …
Remediation Upgrade mdex to version 0.12.3 or later and mdex_native to version 0.2.3 or later; the upstream fix is available in commit 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3 at https://github.com/leandrocp/mdex_native/commit/798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53428 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy