CVE-2026-25048
Received Received - Intake
Segmentation Fault in xgrammar Library via Nested Syntax Parsing

Publication date: 2026-03-05

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25048
EUVD
EUVD-2026-9830
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mlc-ai xgrammar to 0.1.32 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25048 is a denial-of-service (DoS) vulnerability in the Python package xgrammar version 0.1.31. It occurs due to multi-layer nested syntax causing a segmentation fault (core dumped). Specifically, when a malicious grammar rule is constructed with extremely deep nestingβ€”such as 30,000 layers of nested parenthesesβ€”it leads to uncontrolled recursion resulting in stack overflow or memory exhaustion.

This vulnerability causes the xgrammar compiler to crash during grammar compilation or processing, as it fails to limit recursion depth. The issue was fixed in version 0.1.32.

Impact Analysis

This vulnerability can cause a denial-of-service condition by crashing the application using the xgrammar library. An attacker can exploit it by providing a malicious grammar with extremely deep nested syntax, leading to excessive stack or memory consumption and ultimately causing the application to fail.

Such crashes can disrupt service availability, potentially impacting systems relying on xgrammar for structured generation or processing.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to compile or process a grammar rule with extremely deep nesting, such as 30,000 layers of nested parentheses, which triggers a segmentation fault (core dumped) due to stack overflow or memory exhaustion.

A proof-of-concept script exists that defines such a deeply nested grammar rule and causes the xgrammar compiler to crash during grammar compilation or processing.

To detect the vulnerability on your system, you can run a test using a similar script that attempts to compile a grammar with very deep nesting and observe if the application crashes or produces a segmentation fault.

No specific network commands are provided, but monitoring for crashes or core dumps related to xgrammar during grammar compilation or generation is recommended.

Mitigation Strategies

The immediate mitigation step is to upgrade the xgrammar library to version 0.1.32 or later, where this vulnerability has been patched.

Avoid processing or compiling grammar rules with extremely deep nesting until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25048. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart