CVE-2026-4833
Received Received - Intake
Uncontrolled Recursion in Orc Discount Markdown Handler Causes Crash

Publication date: 2026-03-26

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in Orc discount up to 3.0.1.2. This issue affects the function compile of the file markdown.c of the component Markdown Handler. This manipulation causes uncontrolled recursion. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project maintainer confirms: "[I]f you feed it an infinitely deep blockquote input it will crash. (...) [T]his is a duplicate of an old bug that I've been working on."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4833
EUVD
EUVD-2026-16078
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
orc discount to 3.0.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-4833 is a vulnerability in the Orc discount library, specifically in the compile() function of the markdown.c file within the Markdown Handler component. The issue arises from uncontrolled recursion caused by processing maliciously crafted markdown input with excessively deep nesting, such as infinitely deep blockquotes.

This uncontrolled recursion leads to stack exhaustion, causing the application to crash with a segmentation fault. The vulnerability is triggered locally by feeding the program a specially crafted markdown file that induces deep nesting.

A suggested mitigation involves introducing a maximum nesting depth limit and tracking recursion depth to abort parsing when the limit is reached, thus preventing stack exhaustion.

Impact Analysis

This vulnerability can cause the affected application using Orc discount to crash due to stack exhaustion when processing malicious markdown input with deep nesting.

Since the attack is restricted to local execution, an attacker would need local access to exploit it.

The impact is primarily a denial of service (DoS) condition where the application becomes unavailable or unstable due to the crash.

Detection Guidance

This vulnerability can be detected by running the vulnerable Orc discount markdown parser with a specially crafted markdown file that contains excessively nested structures, such as an infinitely deep blockquote input, which triggers uncontrolled recursion and causes the application to crash.

A practical detection method is to execute the program with a malicious markdown file (e.g., crash00.md) that induces deep nesting and observe if the process crashes with a segmentation fault or stack exhaustion.

Example command to test the vulnerability (assuming the vulnerable binary is named 'discount' and the test file is 'crash00.md'):

  • ./discount crash00.md

If the program crashes or triggers a stack overflow, the vulnerability is present.

Mitigation Strategies

To mitigate this vulnerability, it is recommended to introduce a maximum nesting depth limit in the markdown parser to prevent uncontrolled recursion.

Specifically, add a depth counter variable to the parsing context structure that increments before each recursive call to the compile() function and decrements after returning.

If the maximum nesting depth (recommended values are 100 or 200) is reached, the parser should abort deep parsing and treat the remaining input as plain text, thus preventing further recursion and stack exhaustion.

Until a patched version is available, avoid processing untrusted markdown files with deeply nested structures locally, as the attack requires local execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4833. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart