CVE Catalog

CVE-2026-53428

MediumCVSS 6.9
Published: Updated: Translated: NVD NIST

Summary

A vulnerability in the mdex and mdex_native libraries allows an unauthenticated attacker to cause a denial of service via unbounded memory allocation. The parse_highlight_lines function in the LumisAdapter component expands a user-controlled line range from a fenced code block without an upper bound, allocating huge vectors. A payload with a range like 1-2000000000 can exhaust host memory and abort the BEAM process.

Risk Assessment

The organization faces a complete denial of service in the Markdown rendering process, potentially disrupting applications using MDEx.to_html/2, such as comment systems, chat platforms, or wikis.

Recommendation

Immediately upgrade mdex to version 0.12.3 or later, and mdex_native to version 0.2.3 or later. If upgrading is not possible, restrict Markdown submission to authenticated users only.

Original NVD description (English source)

Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation. comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block's highlight_lines decorator into a Vec<usize>, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines="1-100000000", forcing the native adapter to allocate roughly 8 bytes per line in the range. A payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory. The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched. This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS