CVE-2026-40890: CWE-125: Out-of-bounds Read in gomarkdown markdown
The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with commit 759bbc3e32073c3bc4e25969c132fc520eda2778.
AI Analysis
Technical Summary
The gomarkdown markdown Go library contains an out-of-bounds read vulnerability (CWE-125) triggered by malformed input with a '<' character not followed by a '>' character when rendered with SmartypantsRenderer. This can cause the library to panic or crash. The vulnerability affects all versions before commit 759bbc3e32073c3bc4e25969c132fc520eda2778. The CVSS 3.1 score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating network exploitable with low attack complexity, no privileges or user interaction required, and impacts availability only. No known exploits in the wild have been reported. The vulnerability is fixed in the referenced commit.
Potential Impact
Successful exploitation results in an out-of-bounds read causing a panic or crash of applications using the vulnerable gomarkdown markdown library with SmartypantsRenderer. This impacts availability but does not affect confidentiality or integrity. There are no reports of active exploitation.
Mitigation Recommendations
Upgrade the gomarkdown markdown library to the version that includes commit 759bbc3e32073c3bc4e25969c132fc520eda2778 or later, which fixes the vulnerability. Patch status is confirmed by the commit reference. No other mitigations are indicated.
CVE-2026-40890: CWE-125: Out-of-bounds Read in gomarkdown markdown
Description
The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with commit 759bbc3e32073c3bc4e25969c132fc520eda2778.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The gomarkdown markdown Go library contains an out-of-bounds read vulnerability (CWE-125) triggered by malformed input with a '<' character not followed by a '>' character when rendered with SmartypantsRenderer. This can cause the library to panic or crash. The vulnerability affects all versions before commit 759bbc3e32073c3bc4e25969c132fc520eda2778. The CVSS 3.1 score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating network exploitable with low attack complexity, no privileges or user interaction required, and impacts availability only. No known exploits in the wild have been reported. The vulnerability is fixed in the referenced commit.
Potential Impact
Successful exploitation results in an out-of-bounds read causing a panic or crash of applications using the vulnerable gomarkdown markdown library with SmartypantsRenderer. This impacts availability but does not affect confidentiality or integrity. There are no reports of active exploitation.
Mitigation Recommendations
Upgrade the gomarkdown markdown library to the version that includes commit 759bbc3e32073c3bc4e25969c132fc520eda2778 or later, which fixes the vulnerability. Patch status is confirmed by the commit reference. No other mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T16:37:22.766Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7d78519fe3cd2cdf5b32a
Added to database: 4/21/2026, 8:01:09 PM
Last enriched: 4/21/2026, 8:16:23 PM
Last updated: 4/22/2026, 6:08:14 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.