Description
The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with commit 759bbc3e32073c3bc4e25969c132fc520eda2778.
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds Read
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the SmartypantsRenderer of the gomarkdown/markdown library; when parsing a malformed input that contains a '<' character which is not closed by a '>' later in the text, the renderer performs an out-of-bounds read or may trigger a panic. This weakness is classified as CWE‑125 and CWE‑1286, an undefined behavior caused by reading memory beyond allocated bounds.

Affected Systems

The affected product is the Go library github.com/gomarkdown/markdown, which is used by developers to parse Markdown content and render it as HTML. Affected versions are those prior to the patch introduced by commit 759bbc3e32073c3bc4e25969c132fc520eda2778; the CVE data does not list specific version numbers.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity attack, and although the EPSS score is 0.0005 (<1%), the absence of a KEV listing suggests that the vulnerability is not currently widely exploited. However, any application that incorporates the gomarkdown/markdown library to render user-supplied Markdown, especially via SmartypantsRenderer, represents a potential attack surface. An attacker could supply specially crafted Markdown content to trigger the out‑of‑bounds read, causing a crash or, in some exploitation contexts, leaking memory contents if the runtime environment allows such access.

Generated by OpenCVE AI on April 28, 2026 at 16:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the gomarkdown/markdown library to the version including commit 759bbc3e32073c3bc4e25969c132fc520eda2778 or later.
  • If upgrading is not immediately possible, avoid using SmartypantsRenderer or configure the application to skip that renderer for untrusted input.
  • Validate or sanitize input before rendering to ensure no stray '<' characters remain unclosed, reducing the risk of this out‑of‑bounds read.

Generated by OpenCVE AI on April 28, 2026 at 16:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-77fj-vx54-gvh7 Go Markdown has an Out-of-bounds Read in SmartypantsRenderer
History

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gomarkdown:markdown:*:*:*:*:*:go:*:*

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1286
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 22 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Gomarkdown
Gomarkdown markdown
Vendors & Products Gomarkdown
Gomarkdown markdown

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic. This vulnerability is fixed with commit 759bbc3e32073c3bc4e25969c132fc520eda2778.
Title github.com/gomarkdown/markdown: Out-of-bounds Read in SmartypantsRenderer
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Gomarkdown Markdown
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T20:36:07.854Z

Reserved: 2026-04-15T16:37:22.766Z

Link: CVE-2026-40890

cve-icon Vulnrichment

Updated: 2026-04-21T20:16:30.316Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T20:17:02.810

Modified: 2026-04-27T15:07:26.230

Link: CVE-2026-40890

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-21T19:51:53Z

Links: CVE-2026-40890 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:30:35Z

Weaknesses