Executive Summary

CVE-2026-11478 is a Regular Expression Denial of Service (ReDoS) vulnerability found in the tiny-regex-c library, specifically in the matchstar function of the re.c file. The issue arises from inefficient greedy quantifier matching, where functions like matchstar() consume as much input as possible before backtracking. When multiple greedy quantifiers are chained in a failing pattern, this leads to exponential CPU consumption due to worst-case backtracking.

An attacker can exploit this vulnerability by providing crafted regex patterns or inputs that trigger this inefficient backtracking, causing excessive CPU usage and potentially denying service to applications using this library. The attack is limited to local execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause applications using the tiny-regex-c library to experience excessive CPU consumption when processing certain crafted regular expressions. This can lead to degraded performance or denial of service conditions, where legitimate users may be unable to use the affected application effectively.

Since the attack is restricted to local execution, an attacker would need local access to exploit it, but once exploited, it can significantly impact system responsiveness and availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves inefficient regular expression complexity in the matchstar function of tiny-regex-c, which can be detected by observing excessive CPU usage when processing certain regex patterns.

Detection can be performed by running proof-of-concept regex patterns that trigger worst-case backtracking and monitoring CPU consumption.

For example, you can test the regex engine with patterns containing chained greedy quantifiers like 'a*a*a*' against failing inputs to see if CPU usage spikes.

While no specific commands are provided in the resources, a general approach is to use tools like 'top' or 'htop' on Linux to monitor CPU usage while running test inputs against the vulnerable regex functions.

Additionally, running the provided proof-of-concept exploit files (from Resource 1) in a controlled environment can help confirm the presence of the vulnerability by observing abnormal resource consumption.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding the use of vulnerable versions of tiny-regex-c or disabling features that use the matchstar function with complex greedy quantifiers.

Since the project has not yet provided a fixed release, consider applying workarounds such as limiting input size or rejecting ambiguous quantifier chains in regex patterns.

Another recommended approach is to replace the backtracking implementation with a linear-time regex matching strategy or add match-step limits to prevent excessive CPU consumption.

Monitoring and restricting local execution of untrusted regex patterns can also reduce the risk, as the attack is restricted to local execution.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in tiny-regex-c causes inefficient regular expression complexity leading to potential denial of service through excessive CPU consumption. Since the attack is restricted to local execution and does not directly involve data leakage or unauthorized access, its impact on compliance with standards like GDPR or HIPAA is indirect.

However, denial of service conditions can affect system availability, which is a component of many security frameworks and regulations. If exploited, this vulnerability could impair the availability of systems relying on the affected library, potentially impacting compliance with availability requirements in standards such as HIPAA or GDPR.

No explicit information is provided about data confidentiality or integrity breaches, so direct violations of data protection requirements are not indicated.

Useful 0 Not Useful 0