{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35201", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T18:48:58.937Z", "datePublished": "2026-04-06T19:49:48.806Z", "dateUpdated": "2026-04-06T19:49:48.806Z"}, "containers": {"cna": {"title": "Discount has an Out-of-bounds Read in rdiscount", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/davidfstr/rdiscount/security/advisories/GHSA-6r34-94wq-jhrc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/davidfstr/rdiscount/security/advisories/GHSA-6r34-94wq-jhrc"}], "affected": [{"vendor": "davidfstr", "product": "rdiscount", "versions": [{"version": ">= 1.3.1.1, < 2.2.7.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:49:48.806Z"}, "descriptions": [{"lang": "en", "value": "Discount is an implementation of John Gruber's Markdown markup language in C. From 1.3.1.1 to before 2.2.7.4, a signed length truncation bug causes an out-of-bounds read in the default Markdown parse path. Inputs larger than INT_MAX are truncated to a signed int before entering the native parser, allowing the parser to read past the end of the supplied buffer and crash the process. This vulnerability is fixed in 2.2.7.4."}], "source": {"advisory": "GHSA-6r34-94wq-jhrc", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Discount is an implementation of John Gruber's Markdown markup language in C. From 1.3.1.1 to before 2.2.7.4, a signed length truncation bug causes an out-of-bounds read in the default Markdown parse path. Inputs larger than INT_MAX are truncated to a signed int before entering the native parser, allowing the parser to read past the end of the supplied buffer and crash the process. This vulnerability is fixed in 2.2.7.4."}], "id": "CVE-2026-35201", "lastModified": "2026-04-06T20:16:27.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T20:16:27.893", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/davidfstr/rdiscount/security/advisories/GHSA-6r34-94wq-jhrc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.3.1.1,2.2.7.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "rdiscount", "source": "cna", "vendor": "davidfstr"}, "product": "rdiscount", "vendor": "davidfstr"}], "analysis": {"en": {"generated_at": "2026-04-07T02:06:48.429527+00:00", "value": {"mitigation_remediation": ["Upgrade rdiscount to version 2.2.7.4 or later.", "If upgrading is not immediately possible, enforce input size limits on Markdown data to be below INT_MAX.", "Monitor application logs for unexpected crashes and implement automated restart procedures."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected software is David Fstr\u2019s rdiscount Markdown implementation. Versions from 1.3.1.1 up to but not including 2.2.7.4 are vulnerable. Any deployment using an older rdiscount package, regardless of operating system, is at risk if Markdown input is processed without size validation. Upstream releases after 2.2.7.4 include the fix, so the risk is confined to older releases. Users who rely on rdiscount in web servers, static site generators, content management systems, or any other tooling that renders Markdown must review their dependency versions.", "description_and_impact": "In rdiscount versions 1.3.1.1 through before 2.2.7.4 a signed length truncation bug allows an attacker to craft Markdown data larger than INT_MAX. The bug truncates the length to a signed integer before parsing, causing the parser to read past the end of the supplied buffer and crash the process. The crash results in a denial\u2011of\u2011service condition because the process terminates unexpectedly. This issue is identified as CWE\u2011125, an out\u2011of\u2011bounds read. The vulnerability enables attackers to disrupt the availability of any service or application that loads Markdown using the affected rdiscount library, potentially causing downtime or requiring a restart. The impact is limited to denial of service; confidentiality or integrity are not directly compromised.", "risk_and_exploitability": "The CVSS score of 5.9 indicates a moderate severity vulnerability. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, an attacker can trigger a crash by supplying a specially crafted Markdown document that exceeds the 32\u2011bit integer limit, causing the parser to over\u2011read. The attack requires limited knowledge of the input format and does not rely on additional privileges; it can be executed from any source that can feed Markdown data into the parser. The risk is thus significant in scenarios where continuous availability is critical. With the lack of reported real\u2011world exploitation and no known active exploits, the likelihood of immediate targeting is uncertain, but the potential for service disruption justifies timely remediation."}}}}, "created": "2026-04-07T06:54:18.895531+00:00", "updated": "2026-04-07T09:37:20.294668+00:00", "vendors": ["davidfstr", "davidfstr$PRODUCT$rdiscount"]}