Cyber Resilience

CVE-2026-41680

HighPublic PoCDDoS

Published: 24 April 2026

Published
24 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 26.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41680 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Marked Project Marked. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-41680 is a critical Denial of Service (DoS) vulnerability in the Marked markdown parser and compiler, affecting versions 18.0.0 through 18.0.1. The flaw arises from an infinite recursion loop triggered by a specific three-byte input sequence—a tab (\x09), a vertical tab (\x0b), and a newline (\n)—during parsing. This causes unbounded memory allocation, resulting in memory exhaustion (OOM) and a crash of the host Node.js application. The vulnerability is associated with CWEs-400 (Uncontrolled Resource Consumption), CWE-674 (Uncontrolled Recursion), and CWE-835 (Infinite Loop), and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By supplying the malicious three-byte sequence to a Marked parser in a Node.js application—such as in web servers, APIs, or tools that process untrusted Markdown input—the attacker triggers the recursion loop, leading to complete denial of service through application crash.

The official GitHub security advisory (GHSA-6v9c-7cg6-27q7) confirms the issue and states that it is fixed in Marked version 18.0.2. Security practitioners should upgrade to 18.0.2 or later and audit dependencies in Node.js projects using Marked for user-supplied Markdown parsing.

EU & UK References

Vulnerability details

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can…

more

trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables remote exploitation of public-facing applications (T1190) processing untrusted Markdown input, directly facilitating endpoint DoS via application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33116Shared CWE-400, CWE-835
CVE-2026-33699Shared CWE-835
CVE-2026-40324Shared CWE-674
CVE-2026-24831Shared CWE-835
CVE-2026-31899Shared CWE-674
CVE-2026-30350Shared CWE-400
CVE-2024-54730Shared CWE-400
CVE-2026-33204Shared CWE-400
CVE-2025-40944Shared CWE-400
CVE-2026-34648Shared CWE-400

Affected Assets

marked project
marked
18.0.0 — 18.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the Marked library to version 18.0.2, directly eliminating the infinite recursion vulnerability causing memory exhaustion.

prevent

Resource availability protections allocate dedicated resources and prevent exhaustion from unbounded memory allocation triggered by the malicious input sequence.

prevent

Information input validation detects and rejects the specific three-byte sequence (\x09\x0b\n) before it reaches the Marked parser, preventing the recursion loop.

References