{"id":"CVE-2023-22486","summary":"cmark-gfm Quadratic complexity bug in handle_close_bracket may lead to a denial of service","details":"cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a  polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.","aliases":["GHSA-r572-jvj2-3m8p"],"modified":"2026-03-14T12:01:59.492903Z","published":"2023-01-24T02:30:29.099Z","related":["MGASA-2023-0181","SUSE-SU-2023:1834-1","openSUSE-SU-2024:12802-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22486.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-400","CWE-407"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22486.json"},{"type":"ADVISORY","url":"https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22486"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/github/cmark-gfm","events":[{"introduced":"0"},{"fixed":"57d5e093ef801f54bf4174c900f7a863599bb47d"}]}],"versions":["0.27.1.gfm.2","0.27.1.gfm.3","0.27.1.gfm.4","0.28.0.gfm.10","0.28.0.gfm.11","0.28.0.gfm.5","0.28.0.gfm.6","0.28.0.gfm.7","0.28.0.gfm.8","0.28.0.gfm.9","0.28.3.gfm.12","0.28.3.gfm.13","0.28.3.gfm.14","0.28.3.gfm.15","0.28.3.gfm.16","0.28.3.gfm.17","0.28.3.gfm.18","0.28.3.gfm.19","0.28.3.gfm.20","0.29.0.gfm.0","0.29.0.gfm.1","0.29.0.gfm.2","0.29.0.gfm.3","0.29.0.gfm.4","0.29.0.gfm.5","0.29.0.gfm.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22486.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}]}