Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2026-26996

Inefficient Regular Expression Complexity

Published: Feb 20, 2026 | Modified: Mar 06, 2026
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-26996
CWEhttps://cwe.mitre.org/data/definitions/1333.html

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesnt appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8s regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.

Weakness

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Software

NameVendorStart VersionEnd Version
MinimatchMinimatch_project3.0.0 (including)3.1.3 (excluding)
MinimatchMinimatch_project4.0.0 (including)4.2.4 (excluding)
MinimatchMinimatch_project5.0.0 (including)5.1.7 (excluding)
MinimatchMinimatch_project6.0.0 (including)6.2.1 (excluding)
MinimatchMinimatch_project7.0.0 (including)7.4.7 (excluding)
MinimatchMinimatch_project8.0.0 (including)8.0.5 (excluding)
MinimatchMinimatch_project9.0.0 (including)9.0.6 (excluding)
MinimatchMinimatch_project10.0.0 (including)10.2.1 (excluding)
Red Hat Ansible Automation Platform 2.5 for RHEL 8RedHatautomation-gateway-0:2.5.20260422-3.el8ap*
Red Hat Ansible Automation Platform 2.5 for RHEL 9RedHatautomation-gateway-0:2.5.20260422-3.el9ap*
Red Hat Ansible Automation Platform 2.6 for RHEL 9RedHatautomation-platform-ui-0:2.6.8-1.el9ap*
Red Hat Enterprise Linux 10RedHatnodejs22-1:22.22.2-1.el10_1*
Red Hat Enterprise Linux 10RedHatnodejs24-1:24.14.1-2.el10_1*
Red Hat Enterprise Linux 10.0 Extended Update SupportRedHatnodejs22-1:22.22.2-2.el10_0*
Red Hat Enterprise Linux 8RedHatnodejs:22-8100020260331102257.6d880403*
Red Hat Enterprise Linux 8RedHatnodejs:24-8100020260408131901.6d880403*
Red Hat Enterprise Linux 8RedHatnodejs:20-8100020260414073138.489197e6*
Red Hat Enterprise Linux 9RedHatnodejs:22-9070020260401095228.rhel9*
Red Hat Enterprise Linux 9RedHatnodejs:24-9070020260402152654.rhel9*
Red Hat Enterprise Linux 9RedHatnodejs:20-9070020260409073121.rhel9*
Red Hat Enterprise Linux 9.4 Extended Update SupportRedHatnodejs:20-9040020260421133644.rhel9*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatnodejs:22-9060020260409121057.rhel9*
Red Hat Enterprise Linux 9.6 Extended Update SupportRedHatnodejs:20-9060020260422064119.rhel9*
Red Hat JBoss Enterprise Application Platform 8.1RedHatio.hawt-project*
Red Hat JBoss Enterprise Application Platform 8.1RedHatorg.jboss.hal-hal-parent*
Red Hat JBoss Enterprise Application Platform 8.1RedHatorg.keycloak-keycloak-parent*
Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8RedHateap8-wildfly-0:8.1.6-5.GA_redhat_00007.1.el8eap*
Red Hat Developer Hub 1.8RedHatrhdh/rhdh-hub-rhel9:1776784286*
Red Hat OpenShift AI 2.25RedHatrhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9:1776257621*
Red Hat OpenShift AI 2.25RedHatrhoai/odh-pipeline-runtime-minimal-cpu-py312-rhel9:1776413275*
Red Hat OpenShift AI 2.25RedHatrhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9:1776336652*
Red Hat OpenShift AI 2.25RedHatrhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9:1776319193*
Red Hat OpenShift AI 2.25RedHatrhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9:1776319213*
Red Hat OpenShift AI 2.25RedHatrhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9:1776319275*
Red Hat OpenShift Container Platform 4.19RedHatopenshift4/ose-console-rhel9:1780365421*
Red Hat OpenShift Container Platform 4.20RedHatopenshift4/ose-console-rhel9:1779874396*
Red Hat OpenShift Container Platform 4.21RedHatopenshift4/ose-console-rhel9:1779867238*
Red Hat OpenShift Dev Spaces 3.27RedHatdevspaces/code-rhel9:1774448966*
Red Hat OpenShift Dev Spaces 3.28RedHatdevspaces/openvsx-rhel9:1779528224*
Red Hat Quay 3.1RedHatquay/quay-rhel8:1773971077*
Red Hat Quay 3.12RedHatquay/quay-rhel8:1773771962*
Red Hat Quay 3.15RedHatquay/quay-rhel8:1775169219*
Red Hat Quay 3.16RedHatquay/quay-rhel9:1775069491*
Red Hat Quay 3.16RedHatquay/quay-rhel9:1775169226*
Red Hat Quay 3.9RedHatquay/quay-rhel8:1773936323*
Red Hat Satellite 6.18RedHatsatellite/iop-advisor-frontend-rhel9:1781181673*
Red Hat Satellite 6.18RedHatsatellite/iop-vulnerability-frontend-rhel9:1781032495*
Node-minimatchUbuntuesm-apps/xenial*

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use