CVE-2026-26996 — Regex Denial of Service in Minimatch

CWE-1333 — Regex Denial of Service8 documents7 sources

Severity

8.7HIGHNVD

EPSS

0.0%

top 93.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Isaacs Minimatch Minimatch Project Minimatch Debian Node-minimatch

Timeline

PublishedFeb 20

Description

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) …

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶CVEListV5isaacs/minimatch< 10.2.1

▶debiandebian/node-minimatch< node-minimatch 9.0.7-1 (sid)

▶NVDminimatch_project/minimatch3.0.0 — 3.1.3+7

▶npmminimatch_project/minimatch10.0.0 — 10.2.1+7

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-26996: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects↗2026-02-20

▶

GHSA

minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern↗2026-02-18

▶

OSV

minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern↗2026-02-18

▶

📋Vendor Advisories

Red Hat

minimatch: minimatch: Denial of Service via specially crafted glob patterns↗2026-02-20

▶

Debian

CVE-2026-26996: node-minimatch - minimatch is a minimal matching utility for converting glob expressions into Jav...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26996 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-26996 minimatch: minimatch: Denial of Service via specially crafted glob patterns↗2026-02-20

▶