Description
A weakness has been identified in Orc discount up to 3.0.1.2. This issue affects the function compile of the file markdown.c of the component Markdown Handler. This manipulation causes uncontrolled recursion. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project maintainer confirms: "[I]f you feed it an infinitely deep blockquote input it will crash. (...) [T]his is a duplicate of an old bug that I've been working on."
Published: 2026-03-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Denial of Service
Action: Apply Update
AI Analysis

Impact

The vulnerability stems from uncontrolled recursion in the markdown.c compile function of Orc discount, triggered by feeding the parser an infinitely deep blockquote. This leads to a stack exhaustion and subsequent application crash. The weakness indicates inadequate input validation, allowing the denial‑of‑service effect to occur locally without exposing data or code execution capabilities.

Affected Systems

The affected product is Orc discount Markdown Handler, with all releases up to version 3.0.1.2 listed as vulnerable. No newer version is documented as fixed, so users of any version within that range are at risk.

Risk and Exploitability

The CVSS score of 4.8 reflects moderate severity, and the vulnerability is not listed in the CISA KEV catalog, implying limited public exploitation visibility. The attack requires local access to the system running Orc discount. Exploitation results in a crash, providing only a local denial‑of‑service condition without elevation of privileges or data compromise.

Generated by OpenCVE AI on March 26, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Orc discount to a version newer than 3.0.1.2 when available.
  • If an upgrade is not immediately possible, limit the depth of nested blockquotes fed to the Markdown handler to prevent recursion exhaustion.
  • Run the markdown processing component in a sandboxed or isolated environment to contain any crash.
  • Regularly monitor the Orc discount project repository and issue tracker for patches or updates related to this bug.

Generated by OpenCVE AI on March 26, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Orc
Orc discount
Vendors & Products Orc
Orc discount

Thu, 26 Mar 2026 01:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Orc discount up to 3.0.1.2. This issue affects the function compile of the file markdown.c of the component Markdown Handler. This manipulation causes uncontrolled recursion. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project maintainer confirms: "[I]f you feed it an infinitely deep blockquote input it will crash. (...) [T]his is a duplicate of an old bug that I've been working on."
Title Orc discount Markdown markdown.c compile recursion
Weaknesses CWE-404
CWE-674
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Orc Discount
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-30T14:56:20.085Z

Reserved: 2026-03-25T14:19:41.105Z

Link: CVE-2026-4833

cve-icon Vulnrichment

Updated: 2026-03-30T12:57:49.588Z

cve-icon NVD

Status : Deferred

Published: 2026-03-26T02:16:08.323

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-4833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:08:52Z

Weaknesses