CVE-2026-11478

An attacker can trigger this vulnerability by providing a crafted regular expression pattern and input text that forces the regex engine into a state of catastrophic backtracking. This occurs when multiple greedy quantifiers are chained, and the overall match fails near the end of the input. The engine then repeatedly redistributes the input across quantifiers, exploring a rapidly growing number of failing paths, which consumes excessive CPU resources. This can be exploited in applications where an attacker can control the regex pattern or the input text that reaches a vulnerable pattern [ref_id=1].

The vulnerability resides in the `matchstar` and `matchplus` functions within the `re.c` file of the tiny-regex-c library. These functions handle greedy quantifier matching, specifically the `*` and `+` operators. The issue arises from their backtracking mechanism when dealing with chained greedy quantifiers, as demonstrated in the provided proof-of-concept pattern `a*a*a*a*a*a*a*a*a*a*a*a*a*a*b` [ref_id=1].

The advisory does not specify a patch or remediation steps beyond general recommendations. It suggests replacing the current backtracking quantifier implementation with a linear-time matching strategy, adding a match-step budget or timeout, rejecting ambiguous repeated quantifier chains, and returning a compile-time error for patterns that would be truncated. For host applications, it recommends avoiding untrusted regex patterns or enforcing limits and timeouts if user-controlled regex is necessary [ref_id=1].

Step 1: Build the verification program using the provided files. Step 2: Run the matcher with increasing failed-match input lengths, for example: `. edos.exe aaaaaaaaaaaa`, `. edos.exe aaaaaaaaaaaaaaa`, `. edos.exe aaaaaaaaaaaaaaaaaa`. Step 3: Observe that all inputs fail to match, but CPU time grows rapidly with increasing input length [ref_id=1].