CVE-2026-26996
Received Received - Intake
ReDoS Vulnerability in minimatch ≀10.2.0 Causes DoS

Publication date: 2026-02-20

Last updated on: 2026-03-06

Assigner: GitHub, Inc.

Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-03-06
Generated
2026-05-07
AI Q&A
2026-02-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-26996
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
minimatch_project minimatch From 10.0.0 (inc) to 10.2.1 (exc)
minimatch_project minimatch From 3.0.0 (inc) to 3.1.3 (exc)
minimatch_project minimatch From 4.0.0 (inc) to 4.2.4 (exc)
minimatch_project minimatch From 5.0.0 (inc) to 5.1.7 (exc)
minimatch_project minimatch From 6.0.0 (inc) to 6.2.1 (exc)
minimatch_project minimatch From 7.0.0 (inc) to 7.4.7 (exc)
minimatch_project minimatch From 8.0.0 (inc) to 8.0.5 (exc)
minimatch_project minimatch From 9.0.0 (inc) to 9.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-26996 is a Regular Expression Denial of Service (ReDoS) vulnerability in the minimatch library, which converts glob expressions into JavaScript regular expressions.

The vulnerability occurs in versions 10.2.0 and below when a glob pattern contains many consecutive asterisk (*) wildcards followed by a literal character that does not appear in the test string.

Each asterisk compiles into a separate non-greedy regex group ([^/]*?), and when the literal character is missing in the input, the regex engine backtracks exponentially across all possible ways to distribute characters among these groups, causing excessive processing time.

This results in a time complexity of O(4^N), where N is the number of asterisks, leading to delays or hangs in applications using minimatch with vulnerable patterns.

The issue was fixed in minimatch version 10.2.1 by collapsing multiple consecutive asterisks into a single one to prevent this exponential backtracking.


How can this vulnerability impact me? :

This vulnerability can cause a denial of service (DoS) by making the affected application consume excessive CPU resources during regex evaluation.

An attacker can exploit this remotely without any privileges or user interaction by providing specially crafted glob patterns with many consecutive asterisks followed by a literal character not present in the input.

Applications that pass user-controlled strings to minimatch() as the pattern argument, such as file search/filter user interfaces, .gitignore-style filtering with user-defined rules, build tools with glob configurations, or APIs exposing glob matching to untrusted input, are vulnerable.

The impact is primarily on availability, as the system may become unresponsive or hang indefinitely due to the exponential backtracking in the regex engine.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability arises when the minimatch library processes glob patterns containing many consecutive asterisk (*) wildcards followed by a literal character that does not appear in the test string, causing a Regular Expression Denial of Service (ReDoS).

Detection involves identifying if your application or system uses minimatch versions 10.2.0 or below and if it accepts user-controlled glob patterns that could trigger the vulnerability.

There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade the minimatch library to version 10.2.1 or later, where the vulnerability has been fixed.

The fix involves collapsing multiple consecutive asterisk (*) characters into a single wildcard to prevent exponential backtracking in regex matching.

Additionally, avoid passing user-controlled strings directly as glob patterns to minimatch without validation or sanitization.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart