Bug 2461603 (CVE-2026-41680)

Summary: CVE-2026-41680 marked: Marked: Denial of Service via specific input sequence
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abarbaro, alcohan, alizardo, amctagga, anjoseph, anpicker, anthomas, aoconnor, asoldano, bbaranow, bmaxwell, bniver, bparees, bstansbe, caswilli, cdrage, chfoley, dlofthou, dschmidt, ehelms, erezende, ewittman, flucifre, ggainey, gmalinko, gmeno, gparvin, groman, hasun, istudens, ivassile, iweiss, janstey, jbalunas, jchui, jfula, jhe, jkoehler, jlanda, jowilson, jprabhak, juwatts, jwong, kaycoth, kbempah, kshier, ktsao, lchilton, lphiri, mbarnett, mbenjamin, mhackett, mhulan, mosmerov, msvehla, nboldt, nipatil, nmoumoul, nwallace, nyancey, oaljalju, omaciel, ometelka, osousa, pahickey, pantinor, pberan, pcreech, pdelbell, pesilva, pjindal, pmackay, psrna, ptisnovs, rchan, rgodfrey, rhaigner, rhel-process-autobot, rkubis, rstancel, rstepani, rushinde, sfeifer, simaishi, smaestri, smallamp, smcdonal, solenoci, sostapov, stcannon, swoodman, syedriko, teagle, thjenkin, tmalecek, ttakamiy, vdosoudi, vereddy, watson-tool-maintainers, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in marked, a markdown parser and compiler. An unauthenticated attacker can exploit this Denial of Service (DoS) vulnerability by providing a specific 3-byte input sequence (a tab, a vertical tab, and a newline). This input triggers an infinite recursion loop during parsing, leading to unbounded memory allocation and causing the host Node.js application to crash due to Memory Exhaustion (OOM).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2461791, 2461792, 2461793, 2461794, 2461795, 2461797, 2461798, 2461799, 2461800, 2461801, 2461796, 2461802, 2461804    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-24 18:01:42 UTC 
Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.