CVE-2026-25048
Modified Modified - Updated After Analysis

Segmentation Fault in xgrammar Library via Nested Syntax Parsing

Vulnerability report for CVE-2026-25048, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-05

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-05
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-03-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mlc-ai xgrammar to 0.1.32 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-25048 is a denial-of-service (DoS) vulnerability in the Python package xgrammar version 0.1.31. It occurs due to multi-layer nested syntax causing a segmentation fault (core dumped). Specifically, when a malicious grammar rule is constructed with extremely deep nestingβ€”such as 30,000 layers of nested parenthesesβ€”it leads to uncontrolled recursion resulting in stack overflow or memory exhaustion.

This vulnerability causes the xgrammar compiler to crash during grammar compilation or processing, as it fails to limit recursion depth. The issue was fixed in version 0.1.32.

Impact Analysis

This vulnerability can cause a denial-of-service condition by crashing the application using the xgrammar library. An attacker can exploit it by providing a malicious grammar with extremely deep nested syntax, leading to excessive stack or memory consumption and ultimately causing the application to fail.

Such crashes can disrupt service availability, potentially impacting systems relying on xgrammar for structured generation or processing.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to compile or process a grammar rule with extremely deep nesting, such as 30,000 layers of nested parentheses, which triggers a segmentation fault (core dumped) due to stack overflow or memory exhaustion.

A proof-of-concept script exists that defines such a deeply nested grammar rule and causes the xgrammar compiler to crash during grammar compilation or processing.

To detect the vulnerability on your system, you can run a test using a similar script that attempts to compile a grammar with very deep nesting and observe if the application crashes or produces a segmentation fault.

No specific network commands are provided, but monitoring for crashes or core dumps related to xgrammar during grammar compilation or generation is recommended.

Mitigation Strategies

The immediate mitigation step is to upgrade the xgrammar library to version 0.1.32 or later, where this vulnerability has been patched.

Avoid processing or compiling grammar rules with extremely deep nesting until the upgrade is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25048. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart