Cyber Resilience

CVE-2026-23956

HighUpdated

Published: 22 January 2026

Published
22 January 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0007 21.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23956 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Lxsmnsyc Seroval. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-23956 affects the seroval JavaScript library, which enables stringification of JavaScript values including complex structures beyond the capabilities of JSON.stringify. In versions 1.4.0 and earlier, the vulnerability arises from overriding RegExp serialization with extremely large patterns, which can exhaust JavaScript runtime memory during deserialization. Additionally, patterns that trigger catastrophic backtracking can cause ReDoS (Regular Expression Denial of Service). The issue is classified under CWE-1333 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, authentication, or user interaction. By crafting malicious serialized payloads with oversized or backtracking-prone RegExp patterns, unauthenticated attackers can trigger memory exhaustion or prolonged CPU usage during deserialization, resulting in denial of service that disrupts application availability.

The seroval security advisory and associated commit confirm the issue has been addressed in version 1.4.1. Security practitioners should upgrade to this patched version to mitigate the vulnerability, as detailed in the GitHub security advisory (GHSA-hx9m-jf43-8ffr) and the fixing commit (ce9408ebc87312fcad345a73c172212f2a798060).

EU & UK References

Vulnerability details

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking…

more

can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct remote exploitation of library deserialization flaw (oversized/backtracking RegExp) to trigger memory/CPU exhaustion and application DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24006Same product: Lxsmnsyc Seroval
CVE-2026-23957Same product: Lxsmnsyc Seroval
CVE-2026-23737Same product: Lxsmnsyc Seroval
CVE-2026-23736Same product: Lxsmnsyc Seroval
CVE-2024-46242Shared CWE-1333
CVE-2025-70030Shared CWE-1333
CVE-2024-41766Shared CWE-1333
CVE-2026-4867Shared CWE-1333
CVE-2025-10990Shared CWE-1333
CVE-2026-27904Shared CWE-1333

Affected Assets

lxsmnsyc
seroval
≤ 1.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch (upgrade to seroval 1.4.1) that eliminates the RegExp memory-exhaustion and ReDoS flaws.

prevent

Requires validation of deserialized input to reject oversized or catastrophic-backtracking RegExp patterns before they reach seroval.

prevent

Mandates technical controls that limit resource exhaustion from untrusted serialization payloads, mitigating the resulting denial-of-service.

References