Bug 2442922 (CVE-2026-27904)

Summary:	CVE-2026-27904 minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	aazores, abarbaro, abrianik, abuckta, akostadi, alcohan, alizardo, amasferr, anthomas, aschwart, asoldano, ataylor, bbaranow, bbrownin, bdettelb, bmaxwell, boliveir, brian.stansberry, bsmejkal, caswilli, chfoley, cmah, darran.lofthouse, dbruscin, dfreiber, dhanak, dkuc, dmayorov, doconnor, dosoudil, drosa, drow, dschmidt, eaguilar, ebaron, ehelms, erezende, eric.wittmann, fjuma, ggainey, ggrzybek, gmalinko, gparvin, ibek, istudens, ivassile, iweiss, jachapma, janstey, jbalunas, jburrell, jcantril, jchui, jhe, jkoehler, jlanda, jlledo, jolong, jrokos, jscholz, juwatts, kaycoth, kshier, ktsao, kvanderr, kverlaen, lchilton, lphiri, manissin, mattdavi, mhulan, mnovotny, mosmerov, mposolda, mstipich, msvehla, mwringe, nboldt, nipatil, nmoumoul, nwallace, orabin, osousa, pahickey, pantinor, parichar, pberan, pbizzarr, pcreech, pdelbell, pesilva, pjindal, pmackay, progier, psrna, rchan, rexwhite, rhaigner, rjohnson, rkubis, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sfeifer, simaishi, smaestri, smallamp, smcdonal, snegrini, spichugi, ssidhaye, ssilvert, stcannon, sthirugn, sthorger, swoodman, tasato, tbordaz, teagle, tmalecek, tom.jenkinson, tsedmik, vashirov, vkumar, vmuzikar, yguenane
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in minimatch. A remote attacker could exploit this vulnerability by providing a specially crafted glob expression with nested unbounded quantifiers. This could lead to catastrophic backtracking in the V8 JavaScript engine, causing the application to become unresponsive and resulting in a Denial of Service (DoS).	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-26 02:01:46 UTC

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.