Skip to main content

Suse EUVDEUVD-2026-19474

| CVE-2026-35201 MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-06 https://github.com/davidfstr/rdiscount GHSA-6r34-94wq-jhrc
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Apr 06, 2026 - 19:00 euvd
EUVD-2026-19474
Analysis Generated
Apr 06, 2026 - 19:00 vuln.today
Patch released
Apr 06, 2026 - 19:00 nvd
Patch available
CVE Published
Apr 06, 2026 - 17:53 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

Summary

A signed length truncation bug causes an out-of-bounds read in the default Markdown parse path. Inputs larger than INT_MAX are truncated to a signed int before entering the native parser, allowing the parser to read past the end of the supplied buffer and crash the process

Details

In both public entry points:

  • ext/rdiscount.c:97
  • ext/rdiscount.c:136

RSTRING_LEN(text) is passed directly into mkd_string():

c
MMIOT *doc = mkd_string(RSTRING_PTR(text), RSTRING_LEN(text), flags);

mkd_string() accepts int len:

  • ext/mkdio.c:174
c
Document * mkd_string(const char *buf, int len, mkd_flag_t flags)
{
    struct string_stream about;

    about.data = buf;
    about.size = len;

    return populate((getc_func)__mkd_io_strget, &about, flags & INPUT_MASK);
}

The parser stores the remaining input length in a signed int:

  • ext/markdown.h:205
c
struct string_stream {
    const char *data;
    int   size;
};

The read loop stops only when size == 0:

  • ext/mkdio.c:161
c
int __mkd_io_strget(struct string_stream *in)
{
    if ( !in->size ) return EOF;

    --(in->size);

    return *(in->data)++;
}

If the Ruby string length exceeds INT_MAX, the value can truncate to a negative int. In that state, the parser continues incrementing data and reading past the end of the original Ruby string, causing an out-of-bounds read and native crash.

Affected APIs:

  • RDiscount.new(input).to_html
  • RDiscount.new(input).toc_content

PoC

Crash via to_html:

sh
RUBYLIB=lib:ext ruby -e 'require "rdiscount"; n=2_200_000_000; s = "a" * n; warn "built=#{s.bytesize}"; RDiscount.new(s).to_html"'

result:

  • built=2200000000
  • Ruby terminates with [BUG] Segmentation fault
  • top control frame: CFUNC :to_html

same result with toc_content

Impact

This is an out-of-bounds read with the main issue being reliable denial-of-service. Impacted is limited to deployments parses attacker-controlled Markdown and permits multi-GB inputs.

Fix

just add a checked length guard before the mkd_string() call in both public entry points:

  • ext/rdiscount.c:97
  • ext/rdiscount.c:136

ex:

c
VALUE text = rb_funcall(self, rb_intern("text"), 0);
long text_len = RSTRING_LEN(text);
VALUE buf = rb_str_buf_new(1024);
Check_Type(text, T_STRING);

if (text_len > INT_MAX) {
    rb_raise(rb_eArgError, "markdown input too large");
}

MMIOT *doc = mkd_string(RSTRING_PTR(text), (int)text_len, flags);

The same guard should be applied in rb_rdiscount_toc_content() before its mkd_string() call.

AnalysisAI

Out-of-bounds read in RDiscount's Markdown parser allows denial-of-service when processing attacker-controlled inputs exceeding 2GB. The vulnerability occurs because unsigned Ruby string lengths are truncated to signed integers before passing to the native parser, causing the parser to read past buffer boundaries and crash. Affected are RDiscount.new(input).to_html and RDiscount.new(input).toc_content methods. No public exploitation beyond proof-of-concept exists; patch version 2.2.7.4 is available.

Technical ContextAI

RDiscount is a Ruby gem wrapping the discount C Markdown parser. The vulnerability stems from a signed/unsigned integer mismatch in the C extension layer. Ruby's RSTRING_LEN() macro returns a C long (unsigned on 64-bit systems), but both public entry points in ext/rdiscount.c pass this directly to mkd_string() which accepts a signed int parameter. The discount parser stores the input length in struct string_stream as a signed int and decrements it in a loop until reaching zero. When a Ruby string exceeds INT_MAX (2^31-1 bytes, approximately 2.1GB), the truncation causes the size field to become negative. Since the loop condition checks only for zero, a negative size never terminates, causing __mkd_io_strget() to continue reading from data pointer beyond the allocated buffer boundary. The root cause is CWE-125 (out-of-bounds read) combined with integer truncation logic that fails to validate input ranges before type conversion.

RemediationAI

Upgrade RDiscount to version 2.2.7.4 or later, which includes a length validation guard in both mkd_string() call sites (ext/rdiscount.c lines 97 and 136). The patch explicitly checks if text_len exceeds INT_MAX before type conversion and raises ArgumentError with message 'markdown input too large' if the threshold is exceeded. For gems, update via bundle update rdiscount or gem install rdiscount -v '2.2.7.4'. Until patching is possible, implement input size limits at the application level by rejecting Markdown inputs exceeding a reasonable threshold (e.g., 100MB) before passing to RDiscount. The patch and advisory are available at https://github.com/davidfstr/rdiscount/commit/b1a16445e92e0d12c07594dedcdc56f80b317761 and https://github.com/advisories/GHSA-6r34-94wq-jhrc.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-19474 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy