CVE-2026-4539
Inefficient Regular Expression Complexity vulnerability in pygments (PyPI)
What is CVE-2026-4539 About?
This vulnerability in Pygments' `AdlLexer` function is caused by inefficient regular expression complexity. A malicious input can lead to a Regular Expression Denial of Service (ReDoS) by consuming excessive processing resources. This local attack is easy to exploit given local access, as a public exploit exists.
Affected Software
Technical Details
The AdlLexer function within pygments/lexers/archetype.py in Pygments versions up to 2.19.2 contains an inefficient regular expression. This regular expression exhibits catastrophic backtracking when presented with a specially crafted input string. Upon processing such an input, the regular expression engine enters an extremely resource-intensive state, consuming disproportionate CPU cycles and memory. This leads to a Regular Expression Denial of Service (ReDoS) condition, effectively making the application unresponsive or crashing it when attempting to highlight the malicious input.
What is the Impact of CVE-2026-4539?
Successful exploitation may allow attackers to cause a denial-of-service condition, leading to application unresponsiveness, crashes, or resource exhaustion.
What is the Exploitability of CVE-2026-4539?
Exploitation of this vulnerability is of low complexity. It requires local access to the system running Pygments. No authentication is required, and no special privileges are needed to trigger the flaw, only the ability to provide input to the vulnerable lexer. The attack is local, meaning direct access to the system or a method to feed malicious input to a Pygments-processing application is necessary. The existence of a public exploit simplifies the attack, increasing its likelihood. The main constraint is obtaining local access.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-4539?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://vuldb.com/?ctiid.352327
- https://vuldb.com/?ctiid.352327
- https://vuldb.com/?submit.774685
- https://nvd.nist.gov/vuln/detail/CVE-2026-4539
- https://github.com/pygments/pygments
- https://github.com/pygments/pygments/
- https://vuldb.com/?id.352327
- https://osv.dev/vulnerability/GHSA-5239-wwwm-4pmq
- https://github.com/pygments/pygments/issues/3058
- https://vuldb.com/?id.352327
What are Similar Vulnerabilities to CVE-2026-4539?
Similar Vulnerabilities: CVE-2023-38501 , CVE-2023-28155 , CVE-2022-38435 , CVE-2021-25916 , CVE-2020-8178
