Cyber Resilience

CVE-2026-25048

HighPublic PoCDDoSUpdated

Published: 05 March 2026

Published
05 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25048 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Mlc-Ai Xgrammar. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25048 is a vulnerability in the xgrammar open-source library, which enables efficient, flexible, and portable structured generation. In versions prior to 0.1.32, processing multi-level nested syntax triggers a segmentation fault resulting in a core dump. The issue carries a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-674 (Uncontrolled Recursion).

Attackers require only network access to exploit this vulnerability, with low attack complexity, no privileges, and no user interaction needed. Successful exploitation causes high-impact availability disruption through application crashes via segmentation faults, enabling denial-of-service attacks against systems using vulnerable xgrammar instances.

The vulnerability has been patched in xgrammar version 0.1.32. Security practitioners should upgrade to this version or later, as detailed in the project's GitHub release notes (https://github.com/mlc-ai/xgrammar/releases/tag/v0.1.32) and security advisory (https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-7rgv-gqhr-fxg3).

EU & UK References

Vulnerability details

xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability triggers remote segfault via uncontrolled recursion in exposed xgrammar library, directly enabling application crash and availability denial through software exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33908Shared CWE-674
CVE-2026-42039Shared CWE-674
CVE-2024-57699Shared CWE-674
CVE-2026-34211Shared CWE-674
CVE-2026-32944Shared CWE-674
CVE-2026-41636Shared CWE-674
CVE-2026-33498Shared CWE-674
CVE-2024-8176Shared CWE-674
CVE-2026-41311Shared CWE-674
CVE-2026-40879Shared CWE-674

Affected Assets

mlc-ai
xgrammar
≤ 0.1.32

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, testing, and installation of patches for vulnerabilities like CVE-2026-25048, preventing segmentation faults from uncontrolled recursion in xgrammar.

detect

Requires vulnerability scanning to identify systems using vulnerable xgrammar versions prior to network-accessible DoS exploitation.

detect

Ensures monitoring and dissemination of security advisories, such as the xgrammar GitHub advisory, to enable rapid awareness and patching of this CWE-674 vulnerability.

References