Description
Discount is an implementation of John Gruber's Markdown markup language in C. From 1.3.1.1 to before 2.2.7.4, a signed length truncation bug causes an out-of-bounds read in the default Markdown parse path. Inputs larger than INT_MAX are truncated to a signed int before entering the native parser, allowing the parser to read past the end of the supplied buffer and crash the process. This vulnerability is fixed in 2.2.7.4.
Published: 2026-04-06
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

In rdiscount versions 1.3.1.1 through before 2.2.7.4 a signed length truncation bug allows an attacker to craft Markdown data larger than INT_MAX. The bug truncates the length to a signed integer before parsing, causing the parser to read past the end of the supplied buffer and crash the process. The crash results in a denial‑of‑service condition because the process terminates unexpectedly. This issue is identified as CWE‑125, an out‑of‑bounds read. The vulnerability enables attackers to disrupt the availability of any service or application that loads Markdown using the affected rdiscount library, potentially causing downtime or requiring a restart. The impact is limited to denial of service; confidentiality or integrity are not directly compromised.

Affected Systems

The affected software is David Fstr’s rdiscount Markdown implementation. Versions from 1.3.1.1 up to but not including 2.2.7.4 are vulnerable. Any deployment using an older rdiscount package, regardless of operating system, is at risk if Markdown input is processed without size validation. Upstream releases after 2.2.7.4 include the fix, so the risk is confined to older releases. Users who rely on rdiscount in web servers, static site generators, content management systems, or any other tooling that renders Markdown must review their dependency versions.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity vulnerability. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, an attacker can trigger a crash by supplying a specially crafted Markdown document that exceeds the 32‑bit integer limit, causing the parser to over‑read. The attack requires limited knowledge of the input format and does not rely on additional privileges; it can be executed from any source that can feed Markdown data into the parser. The risk is thus significant in scenarios where continuous availability is critical. With the lack of reported real‑world exploitation and no known active exploits, the likelihood of immediate targeting is uncertain, but the potential for service disruption justifies timely remediation.

Generated by OpenCVE AI on April 7, 2026 at 02:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rdiscount to version 2.2.7.4 or later.
  • If upgrading is not immediately possible, enforce input size limits on Markdown data to be below INT_MAX.
  • Monitor application logs for unexpected crashes and implement automated restart procedures.

Generated by OpenCVE AI on April 7, 2026 at 02:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6r34-94wq-jhrc rdiscount has an Out-of-bounds Read
History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Davidfstr
Davidfstr rdiscount
Vendors & Products Davidfstr
Davidfstr rdiscount

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Discount is an implementation of John Gruber's Markdown markup language in C. From 1.3.1.1 to before 2.2.7.4, a signed length truncation bug causes an out-of-bounds read in the default Markdown parse path. Inputs larger than INT_MAX are truncated to a signed int before entering the native parser, allowing the parser to read past the end of the supplied buffer and crash the process. This vulnerability is fixed in 2.2.7.4.
Title Discount has an Out-of-bounds Read in rdiscount
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Davidfstr Rdiscount
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T16:21:14.803Z

Reserved: 2026-04-01T18:48:58.937Z

Link: CVE-2026-35201

cve-icon Vulnrichment

Updated: 2026-04-07T16:21:10.246Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T20:16:27.893

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-35201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:20Z

Weaknesses