Bug 2442919 (CVE-2026-27903)

Summary: CVE-2026-27903 minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, akostadi, alcohan, alizardo, amasferr, anthomas, aschwart, asoldano, ataylor, bbaranow, bbrownin, bdettelb, bmaxwell, boliveir, brian.stansberry, bsmejkal, caswilli, chfoley, cmah, darran.lofthouse, dbruscin, dfreiber, dhanak, dkuc, dmayorov, doconnor, dosoudil, drosa, drow, dschmidt, eaguilar, ebaron, ehelms, erezende, eric.wittmann, fjuma, ggainey, ggrzybek, gmalinko, gparvin, ibek, istudens, ivassile, iweiss, jachapma, janstey, jbalunas, jburrell, jcantril, jchui, jhe, jkoehler, jlanda, jlledo, jolong, jrokos, jscholz, juwatts, kaycoth, kshier, ktsao, kvanderr, kverlaen, lchilton, lphiri, manissin, mattdavi, mhulan, mnovotny, mosmerov, mposolda, mstipich, msvehla, mwringe, nboldt, nipatil, nmoumoul, nwallace, orabin, osousa, pahickey, pantinor, parichar, pberan, pbizzarr, pcreech, pdelbell, pesilva, pjindal, pmackay, progier, psrna, rchan, rexwhite, rhaigner, rjohnson, rkubis, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sfeifer, simaishi, smaestri, smallamp, smcdonal, snegrini, spichugi, ssidhaye, ssilvert, stcannon, sthirugn, sthorger, swoodman, tasato, tbordaz, teagle, tmalecek, tom.jenkinson, tsedmik, vashirov, vkumar, vmuzikar, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in minimatch, a utility for converting glob expressions into JavaScript regular expressions. A remote attacker can exploit this vulnerability by providing a specially crafted glob pattern containing multiple non-adjacent `**` (GLOBSTAR) segments. This can lead to unbounded recursive backtracking in the `matchOne()` function, causing a Denial of Service (DoS) by stalling the Node.js event loop for an extended period.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-26 02:01:36 UTC 
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.