UBUNTU-CVE-2026-33079

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-33079

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33079.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-33079

Upstream

CVE-2026-33079

Published

2026-05-06T18:16:00Z

Modified

2026-05-20T16:25:23.930506401Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in LINK_TITLE_RE that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alternatives that can trigger catastrophic backtracking. In both the double-quoted and single-quoted branches, a backslash followed by punctuation can be matched either as an escaped punctuation sequence or as two ordinary characters, creating an ambiguous pattern inside a repeated group. If an attacker supplies Markdown containing repeated ! sequences with no closing quote, the regex engine explores an exponential number of backtracking paths. This is reachable through normal Markdown parsing of inline links and block link reference definitions. A small crafted input can therefore cause significant CPU consumption and make applications using Mistune unresponsive.

References

Affected packages

Ubuntu:16.04:LTS

mistune

Package

Name: mistune
Purl: pkg:deb/ubuntu/mistune?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.6-2

0.7.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.7.1-1",
            "binary_name": "python-mistune"
        },
        {
            "binary_version": "0.7.1-1",
            "binary_name": "python3-mistune"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33079.json"

Ubuntu:18.04:LTS

mistune

Package

Name: mistune
Purl: pkg:deb/ubuntu/mistune?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.7.4-1

0.8-1

0.8.1-1

0.8.3-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.8.3-2",
            "binary_name": "python-mistune"
        },
        {
            "binary_version": "0.8.3-2",
            "binary_name": "python3-mistune"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33079.json"

Ubuntu:20.04:LTS

mistune

Package

Name: mistune
Purl: pkg:deb/ubuntu/mistune?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.4-1

0.8.4-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.8.4-2",
            "binary_name": "python3-mistune"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33079.json"

Ubuntu:22.04:LTS

mistune

Package

Name: mistune
Purl: pkg:deb/ubuntu/mistune?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.4-4

0.8.4-5

2.*

2.0.0-1+really0.8.4-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.0.0-1+really0.8.4-1",
            "binary_name": "python3-mistune"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33079.json"

Ubuntu:24.04:LTS

mistune

Package

Name: mistune
Purl: pkg:deb/ubuntu/mistune?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.4-2

3.*

3.0.2-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.0.2-1",
            "binary_name": "python3-mistune"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33079.json"

Ubuntu:25.10

mistune

Package

Name: mistune
Purl: pkg:deb/ubuntu/mistune?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.2-2

3.1.3-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.1.3-1",
            "binary_name": "python3-mistune"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33079.json"

Ubuntu:26.04:LTS

mistune

Package

Name: mistune
Purl: pkg:deb/ubuntu/mistune?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.3-1

3.1.4-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.1.4-1",
            "binary_name": "python3-mistune"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33079.json"