Cyber Posture

CVE-2026-25048

HighPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 22.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25048 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Mlc-Ai Xgrammar. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CP-7 Alternate Processing Site
addresses: CWE-674

Supports resumption at alternate site when uncontrolled recursion causes primary site failure or crash.

SC-5 Denial-of-service Protection
addresses: CWE-674

Prevents uncontrolled recursion that exhausts stack or CPU resources.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Vulnerability triggers remote segfault via uncontrolled recursion in exposed xgrammar library, directly enabling application crash and availability denial through software exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.

Deeper analysisAI

CVE-2026-25048 is a vulnerability in the xgrammar open-source library, which enables efficient, flexible, and portable structured generation. In versions prior to 0.1.32, processing multi-level nested syntax triggers a segmentation fault resulting in a core dump. The issue carries a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-674 (Uncontrolled Recursion).

Attackers require only network access to exploit this vulnerability, with low attack complexity, no privileges, and no user interaction needed. Successful exploitation causes high-impact availability disruption through application crashes via segmentation faults, enabling denial-of-service attacks against systems using vulnerable xgrammar instances.

The vulnerability has been patched in xgrammar version 0.1.32. Security practitioners should upgrade to this version or later, as detailed in the project's GitHub release notes (https://github.com/mlc-ai/xgrammar/releases/tag/v0.1.32) and security advisory (https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-7rgv-gqhr-fxg3).

Details

CWE(s)
CWE-674

Affected Products

mlc-ai
xgrammar
≤ 0.1.32

CVEs Like This One

CVE-2026-33908Shared CWE-674
CVE-2026-41636Shared CWE-674
CVE-2026-32944Shared CWE-674
CVE-2026-39376Shared CWE-674
CVE-2026-33498Shared CWE-674
CVE-2024-8176Shared CWE-674
CVE-2026-30922Shared CWE-674
CVE-2026-1849Shared CWE-674
CVE-2026-42039Shared CWE-674
CVE-2024-57699Shared CWE-674

References