CVE-2026-4539
Received Received - Intake
Inefficient Regex Complexity in Pygments AdlLexer Allows Local Attack

Publication date: 2026-03-22

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-22
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4539
EUVD
EUVD-2026-14287
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pygments pygments to 2.19.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4539 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Pygments library, specifically in the AdlLexer function of the file pygments/lexers/archetype.py. The issue arises from an inefficient regular expression used for GUID matching that contains nested repeating quantifiers, causing catastrophic backtracking when processing certain malicious inputs.

This inefficiency leads to severe performance degradation and can indefinitely block the application thread when handling sufficiently large inputs, resulting in excessive processing time or resource consumption.

The vulnerability is exploitable only with local access and has been publicly disclosed with proof-of-concept code demonstrating the delay caused by a crafted input string.

Impact Analysis

This vulnerability can be exploited to cause a denial of service by making the Pygments syntax highlighting process consume excessive CPU time and memory, effectively blocking or slowing down the application.

An attacker with local access can supply specially crafted inputs that trigger catastrophic backtracking in the vulnerable regular expression, causing the application to hang or become unresponsive for several seconds or longer.

This can degrade service availability and impact systems relying on Pygments for syntax highlighting, potentially leading to resource exhaustion and reduced performance.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the Pygments library's AdlLexer with specially crafted inputs that trigger inefficient regular expression processing, causing significant delays."}, {'type': 'paragraph', 'content': 'A proof-of-concept command in Python to detect the vulnerability is to run the following code which measures the processing time of a malicious input string:'}, {'type': 'list_item', 'content': 'import time'}, {'type': 'list_item', 'content': 'from pygments.lexers import AdlLexer'}, {'type': 'list_item', 'content': 'from pygments import lex'}, {'type': 'list_item', 'content': 'malicious_input = "A" * 10000 + "-"'}, {'type': 'list_item', 'content': 'lexer = AdlLexer()'}, {'type': 'list_item', 'content': 'start = time.time()'}, {'type': 'list_item', 'content': 'list(lex(malicious_input, lexer))'}, {'type': 'list_item', 'content': 'elapsed = time.time() - start'}, {'type': 'paragraph', 'content': 'If the elapsed time is significantly greater than 1 second, the vulnerability is confirmed as the regex engine is engaging in catastrophic backtracking.'}] [2]

Mitigation Strategies

Immediate mitigation steps include enforcing timeouts on Pygments processes to terminate them after a short, reasonable duration to prevent resource exhaustion.

Additionally, limit the number of concurrent Pygments processes to reduce the risk of denial-of-service caused by excessive resource consumption.

Reporting any reproducible bugs causing long processing times to the Pygments maintainers is also recommended to help prioritize fixes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4539. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart