Cyber Resilience

CVE-2026-26996

HighPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 40.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26996 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Minimatch Project Minimatch. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26996 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting minimatch versions 10.2.0 and below. minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. The flaw occurs when a glob pattern contains many consecutive * wildcards followed by a literal character that does not appear in the test string. Each * compiles to a separate [^/]*? regex group, and a failed match triggers exponential backtracking in V8's regex engine, with time complexity O(4^N) where N is the number of * characters.

Attackers can exploit this vulnerability remotely with network access, low complexity, no privileges, no user interaction, and no impact on confidentiality or integrity (CVSS 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H; CWE-1333). Any application passing user-controlled strings to minimatch as the pattern argument is vulnerable to denial of service. A single minimatch() call with N=15 asterisks takes approximately 2 seconds, while N=34 causes it to hang effectively forever, enabling resource exhaustion.

The issue has been fixed in minimatch version 10.2.1. Security practitioners should upgrade to this version. Additional details are available in the GitHub security advisory at https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 and the fixing commit at https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5.

EU & UK References

Vulnerability details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal…

more

character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

ReDoS in regex processing of user-controlled glob patterns directly enables Application Exhaustion Flood via targeted resource-intensive feature abuse (exponential backtracking) for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27904Same product: Minimatch Project Minimatch
CVE-2026-27903Same product: Minimatch Project Minimatch
CVE-2026-34939Shared CWE-1333
CVE-2025-27220Shared CWE-1333
CVE-2026-9496Shared CWE-1333
CVE-2025-70030Shared CWE-1333
CVE-2026-30837Shared CWE-1333
CVE-2026-21868Shared CWE-1333
CVE-2025-70034Shared CWE-1333
CVE-2025-10990Shared CWE-1333

Affected Assets

minimatch project
minimatch
3.0.0 — 3.1.3 · 4.0.0 — 4.2.4 · 5.0.0 — 5.1.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates this ReDoS vulnerability by applying the patch in minimatch version 10.2.1.

prevent

Information input validation prevents ReDoS by rejecting or sanitizing user-controlled glob patterns with excessive consecutive asterisks.

prevent

Denial-of-service protection limits the impact of resource exhaustion from ReDoS attacks via rate limiting or connection controls.

References