CVE-2026-26996
Published: 20 February 2026
Summary
CVE-2026-26996 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Minimatch Project Minimatch. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
ReDoS in regex processing of user-controlled glob patterns directly enables Application Exhaustion Flood via targeted resource-intensive feature abuse (exponential backtracking) for DoS.
NVD Description
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal…
more
character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Deeper analysisAI
CVE-2026-26996 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting minimatch versions 10.2.0 and below. minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. The flaw occurs when a glob pattern contains many consecutive * wildcards followed by a literal character that does not appear in the test string. Each * compiles to a separate [^/]*? regex group, and a failed match triggers exponential backtracking in V8's regex engine, with time complexity O(4^N) where N is the number of * characters.
Attackers can exploit this vulnerability remotely with network access, low complexity, no privileges, no user interaction, and no impact on confidentiality or integrity (CVSS 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H; CWE-1333). Any application passing user-controlled strings to minimatch as the pattern argument is vulnerable to denial of service. A single minimatch() call with N=15 asterisks takes approximately 2 seconds, while N=34 causes it to hang effectively forever, enabling resource exhaustion.
The issue has been fixed in minimatch version 10.2.1. Security practitioners should upgrade to this version. Additional details are available in the GitHub security advisory at https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26 and the fixing commit at https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5.
Details
- CWE(s)