CVE-2026-26996 - Vulnerability Details

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Isaacs Subscribe	Minimatch Subscribe
Minimatch Project Subscribe	Minimatch Subscribe

Configuration 1 [-]

cpe:2.3:a:minimatch_project:minimatch:*:*:*:*:*:node.js:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Isaacs Subscribe	Minimatch Subscribe

Advisories

Source	ID	Title
Github GHSA	GHSA-3ppc-4f35-3m26	minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
https://nvd.nist.gov/vuln/detail/CVE-2026-26996
https://www.cve.org/CVERecord?id=CVE-2026-26996

History

Sat, 21 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-26996 https://www.cve.org/CVERecord?id=CVE-2026-26996
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 20 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Minimatch Project Minimatch Project minimatch
CPEs		cpe:2.3:a:minimatch_project:minimatch::::::node.js::*
Vendors & Products		Minimatch Project Minimatch Project minimatch
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 20 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Isaacs Isaacs minimatch
Vendors & Products		Isaacs Isaacs minimatch

Fri, 20 Feb 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Title		minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
Weaknesses		CWE-1333
References		https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5 https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-20T03:05:21.105Z

Updated: 2026-02-20T15:34:15.151Z

Reserved: 2026-02-17T01:41:24.607Z

Link: CVE-2026-26996

Vulnrichment

Updated: 2026-02-20T15:31:37.900Z

NVD

Status : Analyzed

Published: 2026-02-20T03:16:01.620

Modified: 2026-02-20T19:12:33.527

Link: CVE-2026-26996

Redhat

Severity : Important

Publid Date: 2026-02-20T03:05:21Z

Links: CVE-2026-26996 - Bugzilla

OpenCVE Enrichment

Updated: 2026-02-20T09:52:43Z

Weaknesses

CWE-1333

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object