{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40890", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.766Z", "datePublished": "2026-04-21T19:51:53.237Z", "dateUpdated": "2026-04-21T20:36:07.854Z"}, "containers": {"cna": {"title": "github.com/gomarkdown/markdown: Out-of-bounds Read in SmartypantsRenderer", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7"}, {"name": "https://github.com/gomarkdown/markdown/commit/759bbc3e32073c3bc4e25969c132fc520eda2778", "tags": ["x_refsource_MISC"], "url": "https://github.com/gomarkdown/markdown/commit/759bbc3e32073c3bc4e25969c132fc520eda2778"}], "affected": [{"vendor": "gomarkdown", "product": "markdown", "versions": [{"version": "< 759bbc3e32073c3bc4e25969c132fc520eda2778", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:51:53.237Z"}, "descriptions": [{"lang": "en", "value": "The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with commit 759bbc3e32073c3bc4e25969c132fc520eda2778."}], "source": {"advisory": "GHSA-77fj-vx54-gvh7", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:16:21.788511Z", "id": "CVE-2026-40890", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:36:07.854Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40890", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T20:16:21.788511Z"}}}], "references": [{"url": "https://github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:16:30.316Z"}}], "cna": {"title": "github.com/gomarkdown/markdown: Out-of-bounds Read in SmartypantsRenderer", "source": {"advisory": "GHSA-77fj-vx54-gvh7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "gomarkdown", "product": "markdown", "versions": [{"status": "affected", "version": "< 759bbc3e32073c3bc4e25969c132fc520eda2778"}]}], "references": [{"url": "https://github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7", "name": "https://github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gomarkdown/markdown/commit/759bbc3e32073c3bc4e25969c132fc520eda2778", "name": "https://github.com/gomarkdown/markdown/commit/759bbc3e32073c3bc4e25969c132fc520eda2778", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with commit 759bbc3e32073c3bc4e25969c132fc520eda2778."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:51:53.237Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40890", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:36:07.854Z", "dateReserved": "2026-04-15T16:37:22.766Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T19:51:53.237Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gomarkdown:markdown:*:*:*:*:*:go:*:*", "matchCriteriaId": "82C227BF-A9A1-4CD5-9664-916EAAB6DDAA", "versionEndExcluding": "2026-04-10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with commit 759bbc3e32073c3bc4e25969c132fc520eda2778."}], "id": "CVE-2026-40890", "lastModified": "2026-04-27T15:07:26.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T20:17:02.810", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/gomarkdown/markdown/commit/759bbc3e32073c3bc4e25969c132fc520eda2778"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "github.com/gomarkdown/markdown: github.com/gomarkdown/markdown: Denial of Service via malformed Markdown input", "id": "2460245", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460245"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1286", "details": ["A flaw was found in github.com/gomarkdown/markdown, a Go library for parsing Markdown text and rendering as HTML. A remote attacker could exploit this vulnerability by providing a specially crafted malformed input. Specifically, input containing a '<' character not followed by a '>' character, when processed by the SmartypantsRenderer, can lead to an out-of-bounds read or a panic. This can result in a denial of service (DoS) for the application, making it unavailable to legitimate users."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-40890", "package_state": [{"cpe": "cpe:/a:redhat:kube_descheduler_operator:4", "fix_state": "Affected", "package_name": "kube-descheduler-operator/descheduler-rhel9", "product_name": "Kube Descheduler Operator"}, {"cpe": "cpe:/a:redhat:kube_descheduler_operator:5", "fix_state": "Affected", "package_name": "kube-descheduler-operator/descheduler-rhel9", "product_name": "Kube Descheduler Operator"}, {"cpe": "cpe:/a:redhat:multicluster_globalhub", "fix_state": "Affected", "package_name": "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "product_name": "Multicluster Global Hub"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/acm-grafana-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}], "public_date": "2026-04-21T19:51:53Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40890\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40890\nhttps://github.com/gomarkdown/markdown/commit/759bbc3e32073c3bc4e25969c132fc520eda2778\nhttps://github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7"], "statement": "This is an Important denial of service flaw affecting Red Hat products that utilize the `github.com/gomarkdown/markdown` library. The vulnerability occurs when the `SmartypantsRenderer` processes specially crafted malformed Markdown input containing an unclosed '<' character, leading to an out-of-bounds read or application panic. A successful exploitation may lead the application using the library unavailable.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,759bbc3e32073c3bc4e25969c132fc520eda2778)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "markdown", "source": "cna", "vendor": "gomarkdown"}, "product": "markdown", "vendor": "gomarkdown"}], "analysis": {"en": {"generated_at": "2026-04-28T16:15:40.105702+00:00", "value": {"mitigation_remediation": ["Update the gomarkdown/markdown library to the version including commit 759bbc3e32073c3bc4e25969c132fc520eda2778 or later.", "If upgrading is not immediately possible, avoid using SmartypantsRenderer or configure the application to skip that renderer for untrusted input.", "Validate or sanitize input before rendering to ensure no stray '<' characters remain unclosed, reducing the risk of this out\u2011of\u2011bounds read."], "summary": {"action": "Immediate Patch", "impact": "Out-of-bounds Read"}, "threat_synthesis": {"affected_systems": "The affected product is the Go library github.com/gomarkdown/markdown, which is used by developers to parse Markdown content and render it as HTML. Affected versions are those prior to the patch introduced by commit 759bbc3e32073c3bc4e25969c132fc520eda2778; the CVE data does not list specific version numbers.", "description_and_impact": "The vulnerability resides in the SmartypantsRenderer of the gomarkdown/markdown library; when parsing a malformed input that contains a '<' character which is not closed by a '>' later in the text, the renderer performs an out-of-bounds read or may trigger a panic. This weakness is classified as CWE\u2011125 and CWE\u20111286, an undefined behavior caused by reading memory beyond allocated bounds.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity attack, and although the EPSS score is 0.0005 (<1%), the absence of a KEV listing suggests that the vulnerability is not currently widely exploited. However, any application that incorporates the gomarkdown/markdown library to render user-supplied Markdown, especially via SmartypantsRenderer, represents a potential attack surface. An attacker could supply specially crafted Markdown content to trigger the out\u2011of\u2011bounds read, causing a crash or, in some exploitation contexts, leaking memory contents if the runtime environment allows such access."}}}}, "created": "2026-04-22T04:15:07.395287+00:00", "updated": "2026-04-28T16:30:35.080793+00:00", "vendors": ["gomarkdown", "gomarkdown$PRODUCT$markdown"]}