UBUNTU-CVE-2026-46627
Twig, a PHP template language, has a vulnerability in its sandbox prior to version 3.26.0 where it does not prevent templates from consuming excessive CPU, memory, or wall-clock time. This allows untrusted templates to cause resource exhaustion. The issue is addressed in version 3.26.0 by clarifying that the sandbox does not protect against resource exhaustion.
AI Analysis
Technical Summary
The vulnerability in Twig versions prior to 3.26.0 involves the sandbox feature failing to limit resource consumption such as CPU, memory, or wall-clock time. Even with strict allow-listing, untrusted templates can exploit this to cause resource exhaustion. The fix in version 3.26.0 is a documentation update clarifying that the sandbox does not mitigate resource exhaustion risks.
Potential Impact
Untrusted templates can cause resource exhaustion by consuming excessive CPU, memory, or wall-clock time, potentially leading to denial of service conditions. There is no indication of code execution or data leakage from this vulnerability.
Mitigation Recommendations
Upgrade to Twig version 3.26.0 or later, which includes documentation clarifying the sandbox limitations. Since the sandbox does not prevent resource exhaustion, additional external resource controls or monitoring may be necessary to mitigate risk.
UBUNTU-CVE-2026-46627
Description
Twig, a PHP template language, has a vulnerability in its sandbox prior to version 3.26.0 where it does not prevent templates from consuming excessive CPU, memory, or wall-clock time. This allows untrusted templates to cause resource exhaustion. The issue is addressed in version 3.26.0 by clarifying that the sandbox does not protect against resource exhaustion.
CVSS v4.0
Affected software
pkg:deb/ubuntu/[email protected]~esm2?arch=source&distro=esm-apps/focalpkg:deb/ubuntu/[email protected]+esm2?arch=source&distro=esm-apps/jammypkg:deb/ubuntu/[email protected]+esm1?arch=source&distro=esm-apps/noblepkg:deb/ubuntu/[email protected]?arch=source&distro=questingpkg:deb/ubuntu/[email protected]~esm1?arch=source&distro=esm-apps/resoluteRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Twig versions prior to 3.26.0 involves the sandbox feature failing to limit resource consumption such as CPU, memory, or wall-clock time. Even with strict allow-listing, untrusted templates can exploit this to cause resource exhaustion. The fix in version 3.26.0 is a documentation update clarifying that the sandbox does not mitigate resource exhaustion risks.
Potential Impact
Untrusted templates can cause resource exhaustion by consuming excessive CPU, memory, or wall-clock time, potentially leading to denial of service conditions. There is no indication of code execution or data leakage from this vulnerability.
Mitigation Recommendations
Upgrade to Twig version 3.26.0 or later, which includes documentation clarifying the sandbox limitations. Since the sandbox does not prevent resource exhaustion, additional external resource controls or monitoring may be necessary to mitigate risk.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- UBUNTU-CVE-2026-46627
- Osv Schema Version
- 1.7.0
- Aliases
- []
- Ecosystems
- ["Ubuntu:Pro:20.04:LTS","Ubuntu:Pro:22.04:LTS","Ubuntu:Pro:24.04:LTS","Ubuntu:25.10","Ubuntu:Pro:26.04:LTS"]
- Database Specific Severity
- null
- Cvss Version
- 4.0
Threat ID: 6a58b4a068715ace43da8d5d
Added to database: 07/16/2026, 10:38:24 UTC
Last enriched: 07/16/2026, 12:31:21 UTC
Last updated: 07/16/2026, 12:31:21 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.