Bug 2483481 (CVE-2026-45149)
| Summary: | CVE-2026-45149 brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aadhikar, aazores, abarbaro, abrianik, abuckta, akostadi, alcohan, alizardo, amasferr, anjoseph, anpicker, anthomas, anujha, aschwart, asoldano, aszczucz, ataylor, bbaranow, bbrownin, bdettelb, bmaxwell, boliveir, bparees, brasmith, bsmejkal, bstansbe, cdrage, chfoley, cmah, cochase, dbosanac, dbruscin, dfreiber, dhanak, dkuc, dlofthou, dmayorov, doconnor, dranck, drichtar, drosa, drow, dschmidt, dymurray, eaguilar, ebaron, ehelms, erezende, ewittman, fdeutsch, fmariani, ggainey, ggrzybek, gmalinko, gotiwari, gparvin, hasun, ibek, ibolton, istudens, ivassile, iweiss, jachapma, janstey, jbalunas, jburrell, jchui, jfula, jgrulich, jhe, jhorak, jkoehler, jlanda, jlledo, jmatthew, jmontleo, jolong, jowilson, jprabhak, jraez, jreimann, jrokos, juwatts, jwon, kaycoth, kshier, ktsao, kvanderr, lchilton, lphiri, manissin, mcarlett, mdessi, mhess, mhulan, mnovotny, mosmerov, mposolda, mreynolds, mrizzi, mstipich, msvehla, mvyas, nboldt, nipatil, nmoumoul, nwallace, nyancey, oaljalju, ometelka, orabin, oramraz, osousa, pahickey, pantinor, parichar, pberan, pcattana, pcreech, pdelbell, pesilva, pgaikwad, pjindal, pmackay, progier, psrna, ptisnovs, rchan, rekumar, rexwhite, rgodfrey, rhaigner, rhel-process-autobot, rjohnson, rkubis, rmartinc, rstancel, rstepani, rushinde, sausingh, sdawley, sfeifer, simaishi, slucidi, smaestri, smallamp, smcdonal, smullick, snegrini, spichugi, sseago, ssilvert, stcannon, sthirugn, sthorger, stirabos, swoodman, syedriko, tasato, tbordaz, tcunning, teagle, thason, thjenkin, tmalecek, tpopela, tsedmik, vashirov, vdosoudi, vkumar, vle, vmuzikar, vvoronko, vwilson, watson-tool-maintainers, wtam, xdharmai, yfang, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the brace-expansion library. This vulnerability allows an attacker to cause a Denial of Service (DoS) by providing a large numeric range for expansion. The library allocates excessive memory to generate all intermediate elements before applying the maximum limit, leading to high memory consumption and potential application crashes. This can impact the availability of systems using the library.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6.