{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-21T19:51:53Z",
  "bugzilla" : {
    "description" : "github.com/gomarkdown/markdown: github.com/gomarkdown/markdown: Denial of Service via malformed Markdown input",
    "id" : "2460245",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460245"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-1286",
  "details" : [ "A flaw was found in github.com/gomarkdown/markdown, a Go library for parsing Markdown text and rendering as HTML. A remote attacker could exploit this vulnerability by providing a specially crafted malformed input. Specifically, input containing a '<' character not followed by a '>' character, when processed by the SmartypantsRenderer, can lead to an out-of-bounds read or a panic. This can result in a denial of service (DoS) for the application, making it unavailable to legitimate users." ],
  "statement" : "This is an Important denial of service flaw affecting Red Hat products that utilize the `github.com/gomarkdown/markdown` library. The vulnerability occurs when the `SmartypantsRenderer` processes specially crafted malformed Markdown input containing an unclosed '<' character, leading to an out-of-bounds read or application panic. A successful exploitation may lead the application using the library unavailable.",
  "package_state" : [ {
    "product_name" : "Kube Descheduler Operator",
    "fix_state" : "Not affected",
    "package_name" : "kube-descheduler-operator/descheduler-rhel9",
    "cpe" : "cpe:/a:redhat:kube_descheduler_operator:4"
  }, {
    "product_name" : "Kube Descheduler Operator",
    "fix_state" : "Not affected",
    "package_name" : "kube-descheduler-operator/descheduler-rhel9",
    "cpe" : "cpe:/a:redhat:kube_descheduler_operator:5"
  }, {
    "product_name" : "Multicluster Global Hub",
    "fix_state" : "Not affected",
    "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_globalhub"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/acm-grafana-rhel9",
    "cpe" : "cpe:/a:redhat:acm:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-40890\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40890\nhttps://github.com/gomarkdown/markdown/commit/759bbc3e32073c3bc4e25969c132fc520eda2778\nhttps://github.com/gomarkdown/markdown/security/advisories/GHSA-77fj-vx54-gvh7" ],
  "name" : "CVE-2026-40890",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}