CVE-2026-26996: CWE-1333: Inefficient Regular Expression Complexity in isaacs minimatch
CVE-2026-26996 is a high-severity Regular Expression Denial of Service (ReDoS) vulnerability in the isaacs minimatch library versions 10. 2. 0 and below. The issue arises when a glob pattern contains many consecutive '*' wildcards followed by a literal character not present in the test string, causing exponential backtracking in the V8 regex engine. This leads to extremely high processing times or hangs, effectively enabling denial of service. Exploitation requires no authentication or user interaction and can be triggered remotely if user-controlled input is passed as the pattern argument to minimatch(). The vulnerability has been fixed in version 10. 2. 1. Organizations using minimatch in their JavaScript applications, especially those processing untrusted input, are at risk of service disruption.
AI Analysis
Technical Summary
The vulnerability CVE-2026-26996 affects the isaacs minimatch library, a utility that converts glob expressions into JavaScript regular expressions. Versions 10.2.0 and earlier are susceptible to a Regular Expression Denial of Service (ReDoS) attack due to inefficient handling of patterns containing multiple consecutive '*' wildcards followed by a literal character absent from the test string. Each '*' wildcard compiles into a separate non-greedy regex group ([^/]*?), and when the regex engine attempts to match the pattern against a string that does not contain the literal character, the V8 JavaScript engine performs exponential backtracking across all possible group splits. This results in a time complexity of O(4^N), where N is the number of '*' characters. For example, with 15 '*' characters, a single call to minimatch() can take approximately 2 seconds, and with 34 '*' characters, the process can hang indefinitely. This vulnerability can be exploited remotely without any authentication or user interaction if an application passes user-controlled input as the pattern argument to minimatch(). The issue has been addressed in minimatch version 10.2.1, which optimizes the regex compilation to prevent excessive backtracking. No known exploits have been reported in the wild as of the publication date.
Potential Impact
The primary impact of this vulnerability is a denial of service condition caused by excessive CPU consumption during regex evaluation. Applications that use minimatch to process user-supplied glob patterns can be forced into high CPU usage or become unresponsive, leading to service degradation or outages. This can affect web servers, build systems, file watchers, and any JavaScript-based tooling that relies on minimatch for pattern matching. The vulnerability does not directly compromise confidentiality or integrity but can severely impact availability. Attackers can exploit this flaw remotely without authentication or user interaction, making it a significant risk for internet-facing services. Organizations relying on minimatch in critical infrastructure or high-traffic environments may experience operational disruptions, increased resource costs, and potential cascading failures in dependent systems.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately upgrade all instances of the minimatch library to version 10.2.1 or later, where the issue is fixed. Additionally, developers should implement input validation and sanitization to restrict or reject glob patterns containing excessive consecutive '*' wildcards, especially when patterns originate from untrusted sources. Rate limiting and anomaly detection on pattern submission endpoints can help detect and block abuse attempts. For critical systems, consider isolating or sandboxing pattern matching operations to prevent resource exhaustion from impacting other services. Monitoring CPU usage and response times for services using minimatch can provide early warning signs of exploitation attempts. Finally, maintain an inventory of software dependencies to ensure timely updates and vulnerability patching.
Affected Countries
United States, India, Germany, United Kingdom, Canada, Australia, France, Japan, Netherlands, Brazil, South Korea, China, Russia, Israel
CVE-2026-26996: CWE-1333: Inefficient Regular Expression Complexity in isaacs minimatch
Description
CVE-2026-26996 is a high-severity Regular Expression Denial of Service (ReDoS) vulnerability in the isaacs minimatch library versions 10. 2. 0 and below. The issue arises when a glob pattern contains many consecutive '*' wildcards followed by a literal character not present in the test string, causing exponential backtracking in the V8 regex engine. This leads to extremely high processing times or hangs, effectively enabling denial of service. Exploitation requires no authentication or user interaction and can be triggered remotely if user-controlled input is passed as the pattern argument to minimatch(). The vulnerability has been fixed in version 10. 2. 1. Organizations using minimatch in their JavaScript applications, especially those processing untrusted input, are at risk of service disruption.
AI-Powered Analysis
Technical Analysis
The vulnerability CVE-2026-26996 affects the isaacs minimatch library, a utility that converts glob expressions into JavaScript regular expressions. Versions 10.2.0 and earlier are susceptible to a Regular Expression Denial of Service (ReDoS) attack due to inefficient handling of patterns containing multiple consecutive '*' wildcards followed by a literal character absent from the test string. Each '*' wildcard compiles into a separate non-greedy regex group ([^/]*?), and when the regex engine attempts to match the pattern against a string that does not contain the literal character, the V8 JavaScript engine performs exponential backtracking across all possible group splits. This results in a time complexity of O(4^N), where N is the number of '*' characters. For example, with 15 '*' characters, a single call to minimatch() can take approximately 2 seconds, and with 34 '*' characters, the process can hang indefinitely. This vulnerability can be exploited remotely without any authentication or user interaction if an application passes user-controlled input as the pattern argument to minimatch(). The issue has been addressed in minimatch version 10.2.1, which optimizes the regex compilation to prevent excessive backtracking. No known exploits have been reported in the wild as of the publication date.
Potential Impact
The primary impact of this vulnerability is a denial of service condition caused by excessive CPU consumption during regex evaluation. Applications that use minimatch to process user-supplied glob patterns can be forced into high CPU usage or become unresponsive, leading to service degradation or outages. This can affect web servers, build systems, file watchers, and any JavaScript-based tooling that relies on minimatch for pattern matching. The vulnerability does not directly compromise confidentiality or integrity but can severely impact availability. Attackers can exploit this flaw remotely without authentication or user interaction, making it a significant risk for internet-facing services. Organizations relying on minimatch in critical infrastructure or high-traffic environments may experience operational disruptions, increased resource costs, and potential cascading failures in dependent systems.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately upgrade all instances of the minimatch library to version 10.2.1 or later, where the issue is fixed. Additionally, developers should implement input validation and sanitization to restrict or reject glob patterns containing excessive consecutive '*' wildcards, especially when patterns originate from untrusted sources. Rate limiting and anomaly detection on pattern submission endpoints can help detect and block abuse attempts. For critical systems, consider isolating or sandboxing pattern matching operations to prevent resource exhaustion from impacting other services. Monitoring CPU usage and response times for services using minimatch can provide early warning signs of exploitation attempts. Finally, maintain an inventory of software dependencies to ensure timely updates and vulnerability patching.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-17T01:41:24.607Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6997d231d7880ec89b52f4e3
Added to database: 2/20/2026, 3:17:05 AM
Last enriched: 2/20/2026, 3:31:21 AM
Last updated: 2/20/2026, 5:58:13 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2824: Command Injection in Comfast CF-E7
MediumCVE-2026-2823: Command Injection in Comfast CF-E7
MediumCVE-2026-2739: Infinite loop in bn.js
MediumCVE-2026-2822: SQL Injection in JeecgBoot
MediumCVE-2026-2821: SQL Injection in Fujian Smart Integrated Management Platform System
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.