2442922 – (CVE-2026-27904) CVE-2026-27904 minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions

Bug 2442922 (CVE-2026-27904) - CVE-2026-27904 minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions

Summary: CVE-2026-27904 minimatch: Minimatch: Denial of Service via catastrophic backt...

Keywords:
Status:	NEW
Alias:	CVE-2026-27904
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-26 02:01 UTC by OSIDB Bzimport
Modified:	2026-04-15 22:24 UTC (History)
CC List:	129 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2026:8299	None	None	None	2026-04-15 12:35:01 UTC
Red Hat Product Errata	RHBA-2026:8353	None	None	None	2026-04-15 22:24:04 UTC
Red Hat Product Errata	RHSA-2026:6277	None	None	None	2026-03-31 16:03:52 UTC
Red Hat Product Errata	RHSA-2026:7080	None	None	None	2026-04-08 13:54:23 UTC
Red Hat Product Errata	RHSA-2026:7123	None	None	None	2026-04-08 18:04:39 UTC
Red Hat Product Errata	RHSA-2026:7302	None	None	None	2026-04-09 12:47:35 UTC
Red Hat Product Errata	RHSA-2026:7310	None	None	None	2026-04-09 13:19:43 UTC
Red Hat Product Errata	RHSA-2026:7896	None	None	None	2026-04-13 18:29:29 UTC
Red Hat Product Errata	RHSA-2026:7983	None	None	None	2026-04-14 06:51:53 UTC
Red Hat Product Errata	RHSA-2026:8339	None	None	None	2026-04-15 19:04:52 UTC

Description OSIDB Bzimport 2026-02-26 02:01:46 UTC

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

Comment 2 errata-xmlrpc 2026-03-31 16:03:43 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9
  Red Hat Ansible Automation Platform 2.6 for RHEL 10

Via RHSA-2026:6277 https://access.redhat.com/errata/RHSA-2026:6277

Comment 4 errata-xmlrpc 2026-04-08 13:54:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:7080 https://access.redhat.com/errata/RHSA-2026:7080

Comment 5 errata-xmlrpc 2026-04-08 18:04:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:7123 https://access.redhat.com/errata/RHSA-2026:7123

Comment 6 errata-xmlrpc 2026-04-09 12:47:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7302 https://access.redhat.com/errata/RHSA-2026:7302

Comment 7 errata-xmlrpc 2026-04-09 13:19:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:7310 https://access.redhat.com/errata/RHSA-2026:7310

Comment 10 errata-xmlrpc 2026-04-13 18:29:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:7896 https://access.redhat.com/errata/RHSA-2026:7896

Comment 11 errata-xmlrpc 2026-04-14 06:51:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:7983 https://access.redhat.com/errata/RHSA-2026:7983

Comment 12 errata-xmlrpc 2026-04-15 19:04:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:8339 https://access.redhat.com/errata/RHSA-2026:8339

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
abrianik
abuckta
akostadi
alcohan
alizardo
amasferr
anthomas
aschwart
asoldano
ataylor
bbaranow
bbrownin
bdettelb
bmaxwell
boliveir
brian.stansberry
bsmejkal
caswilli
chfoley
cmah
darran.lofthouse
dbruscin
dfreiber
dhanak
dkuc
dmayorov
doconnor
dosoudil
drosa
drow
dschmidt
eaguilar
ebaron
ehelms
erezende
eric.wittmann
fjuma
ggainey
ggrzybek
gmalinko
gparvin
ibek
istudens
ivassile
iweiss
jachapma
janstey
jbalunas
jburrell
jcantril
jchui
jhe
jkoehler
jlanda
jlledo
jolong
jrokos
jscholz
juwatts
kaycoth
kshier
ktsao
kvanderr
kverlaen
lchilton
lphiri
manissin
mattdavi
mhulan
mnovotny
mosmerov
mposolda
mstipich
msvehla
mwringe
nboldt
nipatil
nmoumoul
nwallace
orabin
osousa
pahickey
pantinor
parichar
pberan
pbizzarr
pcreech
pdelbell
pesilva
pjindal
pmackay
progier
psrna
rchan
rexwhite
rhaigner
rjohnson
rkubis
rmartinc
rojacob
rstancel
rstepani
sausingh
sdawley
sfeifer
simaishi
smaestri
smallamp
smcdonal
snegrini
spichugi
ssidhaye
ssilvert
stcannon
sthirugn
sthorger
swoodman
tasato
tbordaz
teagle
tmalecek
tom.jenkinson
tsedmik
vashirov
vkumar
vmuzikar
yguenane