プラットフォーム
python
コンポーネント
pygments
修正版
2.19.1
2.19.2
2.19.3
2.19.3
2.20.0
A Denial of Service (DoS) vulnerability has been identified in Pygments versions 2.9.0 and earlier. This flaw resides within the AdlLexer function of the archetype.py file, where malicious manipulation can trigger inefficient regular expression complexity. Successful exploitation requires local access and could lead to system resource exhaustion, impacting application availability.
The vulnerability allows an attacker with local access to trigger a denial-of-service condition within Pygments. By crafting specific input that exploits the inefficient regular expression handling in the AdlLexer, an attacker can consume excessive system resources, potentially leading to application crashes or system instability. While the vulnerability requires local access, this could be a significant risk in environments where local access controls are weak or compromised. The impact is primarily focused on resource exhaustion rather than data compromise, but prolonged DoS could disrupt critical services.
A proof-of-concept exploit for CVE-2026-4539 has been publicly released, indicating a potential for active exploitation. The vulnerability was reported early and remains unaddressed by the project. The CVSS score is LOW, suggesting a limited attack surface and impact, but the availability of a PoC increases the risk of opportunistic attacks.
Systems utilizing Pygments versions 2.9.0 or earlier, particularly those with weak local access controls or where Pygments is integrated into critical applications, are at risk. Development environments and build servers that rely on Pygments are also potential targets.
• python / system: Monitor system resource usage (CPU, memory) for unusual spikes. Investigate any processes consuming excessive resources that are related to Pygments.
top -c
ps aux --sort=-%cpudisclosure
poc
エクスプロイト状況
EPSS
0.01% (3% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-4539 is to upgrade Pygments to version 2.20.0 or later, which contains the fix. If upgrading is not immediately feasible, consider restricting local access to the system running Pygments. While a direct WAF rule is unlikely to be effective due to the nature of the vulnerability, monitoring system resource usage (CPU, memory) for unusual spikes could provide an early warning sign of exploitation. There are no specific detection signatures available at this time.
Actualice la biblioteca pygments a una versión posterior a 2.19.2. Esto solucionará la vulnerabilidad de denegación de servicio causada por la complejidad ineficiente de la expresión regular en el lexer AdlLexer.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-4539 is a Denial of Service vulnerability in Pygments versions 2.9.0 and earlier, allowing attackers with local access to cause resource exhaustion through inefficient regular expression handling.
You are affected if you are using Pygments versions 2.9.0 or earlier. Upgrade to 2.20.0 or later to mitigate the risk.
Upgrade Pygments to version 2.20.0 or later. If immediate upgrade is not possible, restrict local access to systems running Pygments.
A public proof-of-concept exploit exists, suggesting a potential for active exploitation, although confirmed exploitation is not yet widespread.
Check the Pygments project's website and GitHub repository for updates and advisories related to CVE-2026-4539.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。