CVE-2026-53428 PUBLISHED

Unbounded memory allocation in highlight_lines range expansion in mdex

Assigner: EEF
Reserved: 09.06.2026 Published: 29.06.2026 Updated: 30.06.2026

Memory Allocation with Excessive Size Value vulnerability in leandrocp mdex allows an unauthenticated attacker to cause a denial of service through unbounded memory allocation.

comrak_nif::lumis_adapter::LumisAdapter::parse_highlight_lines in native/comrak_nif/src/lumis_adapter.rs eagerly expands a user-controlled inclusive line range from a fenced code block's highlight_lines decorator into a Vec<usize>, pushing one element per integer in the range with no upper bound on the range size. An attacker who can supply Markdown that an application renders with MDEx.to_html/2 (for example a comment, chat message, or wiki page) can embed a code block whose info string is rust highlight_lines="1-100000000", forcing the native adapter to allocate roughly 8 bytes per line in the range.

A payload that differs by only a few bytes can therefore allocate hundreds of megabytes, and a sufficiently large range (for example 1-2000000000) exhausts host memory and aborts the BEAM, denying service to every user of the rendering process. The per-line write loop additionally tests membership with a linear scan over the same vector, degrading rendering to a quadratic cost even for ranges that do not immediately exhaust memory.

The vulnerable native code originally shipped inside mdex (in native/comrak_nif/src/lumis_adapter.rs) and was later extracted into the separate mdex_native package (native/mdex_native_nif/src/lumis_adapter.rs), where it remains unpatched.

This issue affects mdex from 0.11.0 before 0.12.3, and mdex_native from 0.1.0 before 0.2.3.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	leandrocp
Product	mdex
Versions	Default: unaffected affected from 0.11.0 to 0.12.3 (excl.)

Vendor	leandrocp
Product	mdex
Versions	Default: unaffected affected from a8407611715d1ead35fbcba79c72cef1b7df387b to 6ed94d905f97af188323f042698ae841c02293b4 (excl.)

Vendor	leandrocp
Product	mdex_native
Versions	Default: unaffected affected from 0.1.0 to 0.2.3 (excl.)

Vendor	leandrocp
Product	mdex_native
Versions	Default: unaffected affected from 956528c5e31746253347029e810a969ab916fd27 to 798a363b4339f6f7162ec8437c4c9f9b5ae6fbf3 (excl.)

Affected Configurations

Exploitation requires the application to enable code-block decorators. Decorators are active only when the render options github_pre_lang and full_info_string are both set and an inline syntax-highlight formatter (for example {:html_inline, ...}) is configured. Applications that render Markdown with the default options do not parse highlight_lines specifications and are not affected.

Workarounds

Do not enable code-block decorators: leave the github_pre_lang and full_info_string render options unset, or avoid configuring an inline syntax-highlight formatter, so that highlight_lines specifications are never parsed.

Credits

Peter Ullrich finder
Leandro Pereira remediation developer
Jonatan Männchen / EEF analyst

References

Problem Types

CWE-789 Memory Allocation with Excessive Size Value CWE

Impacts

CAPEC-130 Excessive Allocation