CVE-2026-49851
Received Received - Intake
CPU Exhaustion DoS in Mistune Markdown Parser

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(nΒ²)) behavior in parse_link_text. When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. This vulnerability is fixed in 3.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-49851
EUVD
EUVD-2026-39007
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
lepture mistune to 3.3.0 (exc)
lepture mistune 3.2.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49851 is a denial-of-service (DoS) vulnerability in Mistune, a Python Markdown parser. The issue occurs in the parse_link_text function, which exhibits superlinear (approximately O(nΒ²)) CPU usage when parsing Markdown input containing many consecutive '[' characters.

This happens because the parser repeatedly scans the input string inside a loop, with each iteration rescanning a large portion of the remaining string. This leads to excessive CPU consumption triggered by a small, attacker-controlled Markdown payload.

The vulnerability is fixed in Mistune version 3.3.0 by changing parse_link_text to return the furthest scanned position even on failure, allowing the parser to skip ahead efficiently and avoid the quadratic-time behavior.

Impact Analysis

This vulnerability can cause excessive CPU usage and denial-of-service conditions in any application that parses user-supplied Markdown using Mistune versions 3.2.1 and earlier.

An attacker can craft a small Markdown payload (around 6 KB) containing many consecutive '[' characters to significantly slow down or block CPU resources for several seconds.

Affected applications include web applications, API services, and documentation systems that rely on Mistune for Markdown parsing, potentially leading to service unavailability or degraded performance.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage when processing Markdown input containing many consecutive '[' characters. Since the issue arises from the parse_link_text function repeatedly scanning input in a quadratic-time manner, triggering CPU exhaustion, you can test your system by feeding it Markdown payloads with many consecutive '[' characters (around 6 KB in size) and observing CPU behavior.

There are no specific commands provided in the resources, but a practical approach is to use system monitoring tools such as 'top' or 'htop' on Linux to observe CPU usage during Markdown parsing. Additionally, you can create a test Markdown file with many consecutive '[' characters and process it through your application using commands like:

  • cat test_payload.md | your_markdown_parser_command
  • Monitor CPU usage with: top or htop

If CPU usage spikes significantly or the process becomes unresponsive, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade Mistune to version 3.3.0 or later, where the vulnerability has been fixed. The fix modifies the parse_link_text function to efficiently skip ahead in the input, preventing the quadratic-time CPU exhaustion.

Until you can upgrade, consider implementing input validation or rate limiting on Markdown inputs to prevent processing of payloads containing many consecutive '[' characters, which trigger the vulnerability.

Additionally, monitor your systems for unusual CPU usage patterns during Markdown parsing and consider temporarily disabling or restricting Markdown parsing features if possible.

Compliance Impact

This vulnerability in Mistune can lead to a denial-of-service (DoS) attack by causing excessive CPU consumption when parsing malicious Markdown input. Such DoS conditions can impact the availability of applications processing user-supplied Markdown, including web applications and API services.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, denial-of-service vulnerabilities can indirectly affect compliance by disrupting service availability, which is a component of many regulatory requirements related to data protection and service reliability.

Therefore, organizations relying on Mistune for Markdown parsing should consider this vulnerability as a risk to maintaining continuous service availability, which is important for compliance with regulations that mandate data availability and protection against service disruptions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49851. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart