UBUNTU-CVE-2026-46378

Source
https://ubuntu.com/security/CVE-2026-46378
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-46378.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-46378
Upstream
Published
2026-07-17T00:00:00Z
Modified
2026-07-17T14:30:56.893529901Z
Severity
  • 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. From 3.0.0 until 3.10.1, the selector lexer matchRegexPattern closure in (*Tokenizer).parseCurRune in selector/lexer/tokenize.go loops while tokenizing an unterminated regex literal such as r/ because peekRuneEqual returns false after the end of input, allowing attacker-controlled selector strings to consume CPU indefinitely. This issue is fixed in version 3.10.1.

References

Affected packages

Ubuntu:Pro:24.04:LTS / dasel

Package

Name
dasel
Purl
pkg:deb/ubuntu/dasel?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.6.0-1
2.6.0-1build1
2.6.0-1ubuntu0.1
2.6.0-1ubuntu0.2
2.6.0-1ubuntu0.2+esm1
2.6.0-1ubuntu0.3
2.6.0-1ubuntu0.3+esm1
2.6.0-1ubuntu0.3+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.6.0-1ubuntu0.3+esm2",
            "binary_name": "dasel"
        },
        {
            "binary_version": "2.6.0-1ubuntu0.3+esm2",
            "binary_name": "golang-github-tomwright-dasel-dev"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-46378.json"

Ubuntu:26.04:LTS / dasel

Package

Name
dasel
Purl
pkg:deb/ubuntu/dasel?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.8.1-1
2.8.1-1build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2.8.1-1build1",
            "binary_name": "dasel"
        },
        {
            "binary_version": "2.8.1-1build1",
            "binary_name": "golang-github-tomwright-dasel-dev"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-46378.json"