CVE-2026-33750

medium Red Hat
CVSS v3 Base Score
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score
0.0%
Exploitation probability in 30 days
Top 93% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Confidentiality
None
Integrity
None
Availability
High
Published: March 27, 2026 (105 days ago)
Last Modified: March 27, 2026
Vendor: Red Hat
Source: REDHAT

Description

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.

CWE

CWE-606

Affected Products

Cryostat 4Gatekeeper 3Logging Subsystem for Red Hat OpenShiftMigration Toolkit for Applications 8Migration Toolkit for ContainersMigration Toolkit for VirtualizationMulticluster Engine for KubernetesNetwork Observability OperatorNode HealthCheck OperatorOpenShift Pipelines

References