CVE-2026-11478: Inefficient Regex Complexity in kokke tiny-regex-c
CVE-2026-11478 is a denial-of-service vulnerability in the kokke tiny-regex-c library that allows a local attacker to trigger inefficient regular expression processing through the matchstar function. An attacker with local access and basic privileges can craft a malicious regex pattern that causes excessive computation, potentially slowing or stalling applications that parse untrusted regex inputs. The severity is low because exploitation requires local execution and user-level permissions, but the published exploit code means the attack method is already in the wild.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-1333, CWE-400
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A flaw has been found in kokke tiny-regex-c up to f2632c6d9ed25272987471cdb8b70395c2460bdb. This vulnerability affects the function matchstar of the file re.c of the component Pattern Handler. This manipulation causes inefficient regular expression complexity. The attack is restricted to local execution. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the matchstar function within re.c of kokke's tiny-regex-c component, which handles pattern matching logic. The flaw introduces inefficient regex complexity (ReDoS-like behavior) that does not involve input validation bypass or logic errors, but rather algorithmic weakness under specific pattern conditions. The CVSS 3.1 score of 3.3 reflects the low attack surface (local-only, low privilege requirement) and limited impact scope (availability only, no confidentiality or integrity breach). The vulnerability is categorized under CWE-1333 (Inefficient Regular Expression Complexity) and CWE-400 (Uncontrolled Resource Consumption), both of which relate to algorithmic complexity abuse rather than memory safety or injection flaws.
Business impact
For teams integrating tiny-regex-c into local tools, build systems, or embedded applications, this vulnerability poses a localized availability risk. If an application accepts regex patterns from untrusted local sources—such as configuration files uploaded by users with limited privilege, or dynamically constructed patterns from log parsing utilities—an attacker can cause the regex engine to consume excessive CPU, triggering service degradation or timeout-based crashes. The impact is typically contained to the affected process rather than system-wide, making it a low-priority fix unless the library is used in performance-critical services that must remain responsive under adversarial input.
Affected systems
The kokke tiny-regex-c library is a lightweight, standalone regex implementation used in embedded systems, IoT devices, and resource-constrained environments where full POSIX regex libraries are impractical. The vulnerability affects all versions up to commit f2632c6d9ed25272987471cdb8b70395c2460bdb. Because the project uses rolling releases rather than versioned builds, affected and patched releases cannot be specified precisely; consumers must verify their exact commit hash against the project repository to determine exposure. Any application or firmware bundle that includes tiny-regex-c compiled from an affected commit is potentially vulnerable if it processes regex input from users or lower-privilege accounts.
Exploitability
The exploit has been publicly disclosed, lowering the barrier to practical attack. However, exploitation remains constrained by three factors: it requires local system access (not remote), it demands at least user-level privilege (not full elevation), and it necessitates the ability to supply a malicious regex pattern to the vulnerable function. In typical deployment scenarios, this combination is uncommon unless the application explicitly exposes regex input to unprivileged users or untrusted local files. Organizations running tiny-regex-c in isolated, trusted-input-only contexts face minimal practical risk; those accepting patterns from multi-tenant or partially-trusted local sources should prioritize patching.
Remediation
Teams using tiny-regex-c should monitor the project's repository for an updated commit that addresses the matchstar inefficiency. Given the rolling-release model, there is no named version number to target; instead, pull the latest main branch commit and validate it resolves the issue. Alternatively, implement input validation to reject or throttle regex patterns of excessive length or complexity before passing them to the library, or migrate to a sandboxed regex processor that can be killed if it exceeds a CPU time budget. Document the specific commit hash of any deployed version to enable rapid assessment if this or future vulnerabilities emerge.
Patch guidance
Verify the latest commit on the kokke tiny-regex-c repository main branch for any fix addressing the matchstar function. Because the project has not yet responded to the early notification and no official patch commit is recorded, contact the maintainers or monitor the repository for updates. When a fix becomes available, test it in a staging environment to confirm the regex complexity inefficiency is resolved and that legitimate regex patterns continue to function correctly. Pin your dependency to a specific (later) commit hash rather than relying on floating version references, to prevent accidental regression if the repository ever reverts a patch.
Detection guidance
Monitor local process CPU and memory usage for applications using tiny-regex-c, particularly during periods when regex patterns are supplied by users or external sources. Look for sudden CPU spikes or sustained high CPU usage coinciding with regex compilation or matching operations. If you have application logs, search for patterns indicating regex processing delays or timeouts. At the code level, use static analysis tools to identify where tiny-regex-c's regex functions are called with unsanitized user input. Code review and threat modeling should highlight any code path where an unprivileged user or local process can influence the regex pattern passed to matchstar.
Why prioritize this
This vulnerability should be prioritized based on your exposure to local, unprivileged users. If tiny-regex-c is embedded in a single-user tool, appliance firmware, or a service that only processes trusted, administrator-defined regex patterns, the risk is acceptably low and patching can be deferred to routine maintenance windows. If the library is used in any application that accepts regex patterns from unprivileged users, multi-tenant environments, or untrusted configuration sources, elevate the priority to medium and schedule a patch within your next planned release cycle. The low CVSS score (3.3) should not be overridden by false urgency, but neither should it mask real business risk in high-exposure deployments.
Risk score, explained
The CVSS 3.1 score of 3.3 (LOW) reflects a narrow attack surface and limited damage. The local-only attack vector (AV:L) and requirement for low privilege (PR:L) eliminate remote exploitation and require at least user-level access. The complexity is low (AC:L), meaning once an attacker has local access, crafting a malicious regex is straightforward. No confidentiality or integrity impact is possible (C:N, I:N); only availability is affected (A:L). The vulnerability is not in the KEV catalog, indicating no evidence of widespread exploitation in the wild. Organizations should treat a 3.3 score as a genuine but containable risk rather than an immediate crisis—the threat is real only if your deployment model allows local users or processes to control regex input.
Frequently asked questions
Do I need to patch if we only use tiny-regex-c for fixed, administrator-defined regex patterns?
No immediate action is required if your regex patterns are hardcoded by administrators and never influenced by user input or untrusted local files. However, document your usage model and include this CVE in your next planned security update cycle. If requirements change in the future and the library becomes exposed to user-controlled patterns, revisit your patch status.
The project hasn't responded yet—should I wait for an official patch before doing anything?
Not necessarily. If you have exposure (users or local processes can control regex patterns), implement a workaround now: add length and complexity limits to regex input, or use a watchdog timer to kill regex operations that exceed acceptable CPU time. Monitor the kokke repository for updates in the coming weeks, but do not assume a patch will arrive on any specific timeline. For low-exposure deployments, you can reasonably wait for an official fix while monitoring for reports of active exploitation.
What is 'rolling release strategy' and how does it affect our patching process?
Rolling release means the project does not publish numbered versions; instead, commits to the main branch are considered the current state. This makes it difficult to track 'which version we're on.' You must identify the exact commit hash of your deployed tiny-regex-c and compare it to the repository history to determine if a fix has been released. Use commit hashes in your dependency tracking (e.g., in lock files or SBOM records) rather than version numbers.
Is this ReDoS (regular expression denial of service)?
Yes, it exhibits ReDoS characteristics—a specially crafted regex pattern causes inefficient backtracking and excessive computation in the matchstar function. Unlike classic ReDoS in complex regex engines with advanced features, tiny-regex-c's minimalist design limits the patterns that trigger the flaw, but the underlying principle is the same: algorithmic complexity abuse leading to availability impact.
This analysis is provided for informational purposes and is based on available data as of the publication date. The kokke project has not yet responded to vulnerability notification, and no official patch commit is recorded; verify any updates directly with the upstream repository. CVSS scores and severity ratings reflect point-in-time risk; your organization's actual risk depends on deployment context, exposure model, and compensating controls. This document does not constitute legal, compliance, or procurement advice. Test all patches in a staging environment before production deployment. SEC.co makes no warranty regarding the accuracy or completeness of remediation guidance and recommends consulting your security team and the vendor for authoritative patch and mitigation information. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10291MEDIUMReDoS in Enderfga claw-orchestrator validateRegex—Security Update
- CVE-2026-10691MEDIUMReDoS Vulnerability in DesktopCommanderMCP Search Manager
- CVE-2026-10692MEDIUMReDoS Vulnerability in code-index-mcp Up to 2.14.0 – Patch Available
- CVE-2026-44796MEDIUMNautobot Denial of Service via ReDoS in Bulk-Rename Endpoints
- CVE-2026-10705LOWDask HyperLogLog Resource Exhaustion Vulnerability
- CVE-2026-41848LOWSpring Framework AntPathMatcher ReDoS Vulnerability
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring