CVE-2026-35201

#include <stdio.h> #include <stdlib.h> #include <limits.h> // Conceptual PoC for CVE-2026-35201 // Demonstrates the signed length truncation issue. void vulnerable_parser(char *buffer, size_t len) { // Vulnerability: Casting size_t to int without checking bounds int buffer_len = (int)len; printf("Original size_t length: %zu\n", len); printf("Truncated int length: %d\n", buffer_len); if (buffer_len < 0) { printf("Error: Negative length detected after truncation!\n"); return; } // The parser might use buffer_len to loop, but the actual buffer size // corresponds to 'len'. If len > INT_MAX, buffer_len is incorrect. // Reading past the end of the buffer happens here. for (int i = 0; i < buffer_len; i++) { // Accessing buffer[i] when len is huge leads to OOB read // if buffer allocation was based on the truncated value or logic mismatch. // For this demo, we just check the condition. if (i >= len) { printf("Out of bounds read prevented in PoC demo.\n"); break; } } } int main() { // Create a payload larger than INT_MAX size_t huge_payload_size = (size_t)INT_MAX + 100; // Conceptual buffer allocation (cannot actually allocate 2GB+ easily in all envs) // char *huge_buffer = (char *)malloc(huge_payload_size); printf("Simulating CVE-2026-35201 trigger...\n"); vulnerable_parser(NULL, huge_payload_size); return 0; }

{"cve": {"id": "CVE-2026-35201", "sourceIdentifier": "[email protected]", "published": "2026-04-06T20:16:27.893", "lastModified": "2026-04-16T04:20:29.057", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Discount is an implementation of John Gruber's Markdown markup language in C. From 1.3.1.1 to before 2.2.7.4, a signed length truncation bug causes an out-of-bounds read in the default Markdown parse path. Inputs larger than INT_MAX are truncated to a signed int before entering the native parser, allowing the parser to read past the end of the supplied buffer and crash the process. This vulnerability is fixed in 2.2.7.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dafoster:rdiscount:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "1.3.1.1", "versionEndExcluding": "2.2.7.4", "matchCriteriaId": "CD92C2DB-DEF1-4154-A725-76F41B1A0BBC"}]}]}], "references": [{"url": "https://github.com/davidfstr/rdiscount/security/advisories/GHSA-6r34-94wq-jhrc", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit"]}]}}