CVE-2026-4539
Inefficient Regex Complexity in Pygments AdlLexer Allows Local Attack
Publication date: 2026-03-22
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pygments | pygments | to 2.19.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4539 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Pygments library, specifically in the AdlLexer function of the file pygments/lexers/archetype.py. The issue arises from an inefficient regular expression used for GUID matching that contains nested repeating quantifiers, causing catastrophic backtracking when processing certain malicious inputs.
This inefficiency leads to severe performance degradation and can indefinitely block the application thread when handling sufficiently large inputs, resulting in excessive processing time or resource consumption.
The vulnerability is exploitable only with local access and has been publicly disclosed with proof-of-concept code demonstrating the delay caused by a crafted input string.
How can this vulnerability impact me? :
This vulnerability can be exploited to cause a denial of service by making the Pygments syntax highlighting process consume excessive CPU time and memory, effectively blocking or slowing down the application.
An attacker with local access can supply specially crafted inputs that trigger catastrophic backtracking in the vulnerable regular expression, causing the application to hang or become unresponsive for several seconds or longer.
This can degrade service availability and impact systems relying on Pygments for syntax highlighting, potentially leading to resource exhaustion and reduced performance.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the Pygments library's AdlLexer with specially crafted inputs that trigger inefficient regular expression processing, causing significant delays."}, {'type': 'paragraph', 'content': 'A proof-of-concept command in Python to detect the vulnerability is to run the following code which measures the processing time of a malicious input string:'}, {'type': 'list_item', 'content': 'import time'}, {'type': 'list_item', 'content': 'from pygments.lexers import AdlLexer'}, {'type': 'list_item', 'content': 'from pygments import lex'}, {'type': 'list_item', 'content': 'malicious_input = "A" * 10000 + "-"'}, {'type': 'list_item', 'content': 'lexer = AdlLexer()'}, {'type': 'list_item', 'content': 'start = time.time()'}, {'type': 'list_item', 'content': 'list(lex(malicious_input, lexer))'}, {'type': 'list_item', 'content': 'elapsed = time.time() - start'}, {'type': 'paragraph', 'content': 'If the elapsed time is significantly greater than 1 second, the vulnerability is confirmed as the regex engine is engaging in catastrophic backtracking.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing timeouts on Pygments processes to terminate them after a short, reasonable duration to prevent resource exhaustion.
Additionally, limit the number of concurrent Pygments processes to reduce the risk of denial-of-service caused by excessive resource consumption.
Reporting any reproducible bugs causing long processing times to the Pygments maintainers is also recommended to help prioritize fixes.