Bug 2441268 (CVE-2026-26996) - CVE-2026-26996 minimatch: minimatch: Denial of Service via specially crafted glob patterns
Summary: CVE-2026-26996 minimatch: minimatch: Denial of Service via specially crafted ...
Keywords:
Status: NEW
Alias: CVE-2026-26996
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-20 04:01 UTC by OSIDB Bzimport
Modified: 2026-04-09 20:20 UTC (History)
135 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:7080 0 None None None 2026-04-08 13:54:23 UTC
Red Hat Product Errata RHSA-2026:7123 0 None None None 2026-04-08 18:04:39 UTC
Red Hat Product Errata RHSA-2026:7302 0 None None None 2026-04-09 12:47:35 UTC
Red Hat Product Errata RHSA-2026:7310 0 None None None 2026-04-09 13:19:43 UTC
Red Hat Product Errata RHSA-2026:7350 0 None None None 2026-04-09 20:20:19 UTC

Description OSIDB Bzimport 2026-02-20 04:01:35 UTC 
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Comment 3 errata-xmlrpc 2026-04-08 13:54:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:7080 https://access.redhat.com/errata/RHSA-2026:7080
Comment 4 errata-xmlrpc 2026-04-08 18:04:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:7123 https://access.redhat.com/errata/RHSA-2026:7123
Comment 5 errata-xmlrpc 2026-04-09 12:47:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7302 https://access.redhat.com/errata/RHSA-2026:7302
Comment 6 errata-xmlrpc 2026-04-09 13:19:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:7310 https://access.redhat.com/errata/RHSA-2026:7310
Comment 7 errata-xmlrpc 2026-04-09 20:20:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7350 https://access.redhat.com/errata/RHSA-2026:7350
Note You need to log in before you can comment on or make changes to this bug.