Description
A flaw has been found in kokke tiny-regex-c up to f2632c6d9ed25272987471cdb8b70395c2460bdb. This vulnerability affects the function matchstar of the file re.c of the component Pattern Handler. This manipulation causes inefficient regular expression complexity. The attack is restricted to local execution. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-08
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in tiny-regex-c’s matchstar routine can be exploited with a carefully crafted regular expression to create an inefficient match that consumes excessive CPU cycles. When an attacker supplies a malicious pattern, the implementation will traverse a long exploratory path, leading to a local denial of service. The weakness is a classic resource exhaustion scenario, classified as CWE‑1333 and CWE‑400, and affects only the local execution context—remote exploitation would require the attacker to already have local code‑execution privileges or to control a component that runs the library internally.

Affected Systems

All released versions of kokke tiny-regex-c up to commit f2632c6d9ed25272987471cdb8b70395c2460bdb are affected. The project uses a rolling‑release model, so no fixed version can be pinpointed; users must monitor the repository for a future fix.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity, and the EPSS score is unavailable, making it unclear how often this flaw is targeted. Because the attack is restricted to local execution and no command‑execution vector is present, the risk is limited to service degradation on the local machine. The vulnerability is not listed in CISA’s KEV catalog, suggesting it is not a widely‑being‑exploited threat yet.

Generated by OpenCVE AI on June 8, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review code paths that accept user‑supplied patterns, and either validate or whitelist patterns before invoking matchstar or move such validation outside the library.
  • If operating in a multithreaded or high‑availability environment, isolate the regex engine in a sandbox or worker process and enforce CPU or time limits on regex evaluations.
  • Stay informed of upstream changes by monitoring the kokke/tiny-regex-c GitHub repository, and redeploy the latest revision once the issue is fixed or a mitigative fix is released.

Generated by OpenCVE AI on June 8, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in kokke tiny-regex-c up to f2632c6d9ed25272987471cdb8b70395c2460bdb. This vulnerability affects the function matchstar of the file re.c of the component Pattern Handler. This manipulation causes inefficient regular expression complexity. The attack is restricted to local execution. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
Title kokke tiny-regex-c Pattern re.c matchstar redos
First Time appeared Kokke
Kokke tiny-regex-c
Weaknesses CWE-1333
CWE-400
CPEs cpe:2.3:a:kokke:tiny-regex-c:*:*:*:*:*:*:*:*
Vendors & Products Kokke
Kokke tiny-regex-c
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kokke Tiny-regex-c
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-08T10:59:56.190Z

Reserved: 2026-06-07T09:42:50.401Z

Link: CVE-2026-11478

cve-icon Vulnrichment

Updated: 2026-06-08T10:59:52.601Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T03:16:19.997

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:57:37Z

Weaknesses