CVE-2026-23956

High

Published: 22 January 2026

Published

22 January 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0003 8.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23956 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Lxsmnsyc Seroval. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Direct remote exploitation of library deserialization flaw (oversized/backtracking RegExp) to trigger memory/CPU exhaustion and application DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking…

can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.

Deeper analysisAI

CVE-2026-23956 affects the seroval JavaScript library, which enables stringification of JavaScript values including complex structures beyond the capabilities of JSON.stringify. In versions 1.4.0 and earlier, the vulnerability arises from overriding RegExp serialization with extremely large patterns, which can exhaust JavaScript runtime memory during deserialization. Additionally, patterns that trigger catastrophic backtracking can cause ReDoS (Regular Expression Denial of Service). The issue is classified under CWE-1333 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, authentication, or user interaction. By crafting malicious serialized payloads with oversized or backtracking-prone RegExp patterns, unauthenticated attackers can trigger memory exhaustion or prolonged CPU usage during deserialization, resulting in denial of service that disrupts application availability.

The seroval security advisory and associated commit confirm the issue has been addressed in version 1.4.1. Security practitioners should upgrade to this patched version to mitigate the vulnerability, as detailed in the GitHub security advisory (GHSA-hx9m-jf43-8ffr) and the fixing commit (ce9408ebc87312fcad345a73c172212f2a798060).

Details

CWE(s): CWE-1333

Affected Products

lxsmnsyc

seroval

≤ 1.4.1

CVEs Like This One

CVE-2026-24006Same product: Lxsmnsyc Seroval

CVE-2026-23957Same product: Lxsmnsyc Seroval

CVE-2026-23736Same product: Lxsmnsyc Seroval

CVE-2026-23737Same product: Lxsmnsyc Seroval

CVE-2025-70030Shared CWE-1333

CVE-2026-28356Shared CWE-1333

CVE-2026-22178Shared CWE-1333

CVE-2026-1388Shared CWE-1333

CVE-2026-23897Shared CWE-1333

CVE-2026-4867Shared CWE-1333

References

https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060
Patch · security-advisories@github.com
https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr
Mitigation, Vendor Advisory · security-advisories@github.com