CVE-2026-35201 rdiscount Crash DoS: Fixed in 2.2.7.4, Guard Against INT_MAX

A newly disclosed out-of-bounds read in the rdiscount Markdown parser has been assigned CVE-2026-35201, and the practical impact is blunt: a crafted input large enough to exceed INT_MAX can crash the native parser and take down whatever service is using it. The advisory ties the issue to a signed length truncation bug in the default Markdown parse path, and the fixed release is 2.2.7.4. In plain English, this is not a data-theft headline; it is a reliability and availability problem that can still be serious when the vulnerable library sits behind user-facing content pipelines. (nvd.nist.gov)

Overview​

The core of CVE-2026-35201 is a type mismatch that should make systems programmers wince. rdiscount hands a Ruby string length to native code that ultimately stores the value in a signed int, and once an input exceeds INT_MAX, the parser can lose track of how much data remains. That leads the parser to keep reading past the end of the supplied buffer until the process crashes. (nvd.nist.gov)
That matters because Markdown parsing is one of those quiet infrastructure tasks that often runs in the background of otherwise ordinary applications. Blogs, knowledge bases, ticketing systems, CMS platforms, forum engines, and internal documentation tools may all parse untrusted text on demand. If a parser falls over, the damage can be immediate and visible even if no secrets are exfiltrated. (osv.dev)
What makes this advisory especially notable is that it is not framed as a vague stability issue. The GitHub advisory database says the problem can cause a reliable denial of service when the application accepts attacker-controlled Markdown and permits multi-gigabyte inputs. That limitation is important: the bug is not universal, but in the environments where large uploads or oversized fields are allowed, the crash path is straightforward enough to be operationally relevant. (osv.dev)
There is also a useful lesson here about how severity gets interpreted. The CNA rating attached to the issue is 5.9 Medium with availability high and no confidentiality or integrity impact, which is consistent with a crash-only vulnerability. But for organizations whose uptime is the product, medium on paper can still be painful in production if the parser sits in a hot request path. (nvd.nist.gov)

What rdiscount Does​

rdiscount is a Ruby wrapper around Discount, a C implementation of John Gruber’s Markdown language. The wrapper exists because native code is fast, and Markdown parsing is often latency-sensitive when lots of text is processed at once. That performance benefit, however, comes with all the usual sharp edges of C extensions: memory management, signedness, and bounds checking all become security concerns. (nvd.nist.gov)

Why a Markdown Library Can Be Security-Critical​

Markdown parsers are not just formatting helpers. In many software stacks, they are part of the trust boundary between user-submitted content and rendered output. A parser crash in a comment system, support portal, or knowledge base can interrupt rendering for every visitor until a worker restarts or the service recovers. (osv.dev)
The interesting part is that the bug is triggered by size, not by a cleverly malformed character sequence. That makes it less about language semantics and more about how the library handles a numeric edge case. Those bugs are often harder to spot in review because the code can look logically correct until the value crosses a platform limit. (nvd.nist.gov)

• Native extensions often inherit C’s signed integer limits.
• Large text blobs are common in document-processing systems.
• Crash-only flaws can still create business-critical outages.
• Input validation at the wrapper boundary is usually the simplest fix.

The Technical Root Cause​

The advisory describes a signed length truncation bug in the default parsing path. In the vulnerable code path, RSTRING_LEN(text) is passed toward mkd_string(), which accepts an int len. If the Ruby string length is larger than INT_MAX, the conversion can wrap or truncate in a way that leaves the parser with an invalid remaining-length counter. (osv.dev)

How the Crash Happens​

Inside the parser, the remaining input length is tracked in a signed int, and the loop only stops when that counter hits zero. If the counter starts out in a bad state, the parser can continue advancing through memory beyond the original buffer. That is the classic shape of an out-of-bounds read: the process consumes memory it was never supposed to touch, and the runtime eventually crashes. (osv.dev)
The important detail is that this is not described as a complicated exploit chain. The documentation says the main impact is denial of service, not code execution. That distinction matters because it tells defenders what to expect operationally: process termination, worker churn, and request failures, rather than immediate remote compromise. That said, a reliable crash in a high-traffic parser is still a real security issue. (osv.dev)

• The vulnerable path is in the native parser, not Ruby-level syntax handling.
• The bad state appears when input exceeds INT_MAX.
• The parser keeps stepping through memory after the logical end of input.
• The most likely outcome is a segmentation fault or native crash.

Affected Entry Points​

The advisory identifies two public entry points: RDiscount.new(input).to_html and RDiscount.new(input).toc_content. That is a useful signal because it shows the bug is reachable through normal public APIs, not some obscure maintenance function. If an application exposes either function to oversized user text, the crash becomes reachable from the outside. (osv.dev)
The GitHub advisory also includes a proof-of-concept that builds a very large Ruby string and then calls to_html, resulting in a segmentation fault. The presence of a crash PoC reinforces that the issue is not theoretical; it is reproducible under the right input conditions. (osv.dev)

Impact and Severity​

From a security operations perspective, this is primarily an availability issue. The NVD page reflects the same basic technical story: inputs larger than INT_MAX can be truncated before entering the native parser, allowing the parser to read past the buffer and crash the process. The CNA score of 5.9 Medium matches that profile, but the effective severity depends heavily on where rdiscount is deployed. (nvd.nist.gov)

When “Medium” Becomes Operationally Ugly​

A parser crash in a background worker is annoying. A crash in a monolithic web process that renders user content can be much worse. If every malformed or oversized request kills a worker, the service may enter a restart loop, and the user experience degrades from slow responses to outright unavailability. (osv.dev)
This is the kind of vulnerability that hits the front door of a content pipeline. Even if the attacker cannot steal data, they may be able to repeatedly deny service with carefully chosen inputs, especially if upload and content-length controls are weak. In that sense, the issue resembles other parser-driven availability bugs: simple trigger, expensive recovery. (nvd.nist.gov)

• No confidentiality impact has been reported in the advisory.
• No integrity impact has been reported in the advisory.
• Availability impact is the dominant concern.
• Repeated exploitation could be more disruptive than a one-off crash.

Enterprise vs. Consumer Exposure​

Enterprises are likely to see this through CMS platforms, documentation systems, and internal tooling that process large user-generated content bodies. Consumer services face a slightly different profile: they may have stronger request size limits, but they also have more heterogeneous traffic and a larger attack surface. The common factor is whether untrusted Markdown reaches rdiscount without strict size checks. (osv.dev)
A well-configured consumer app may never let a Markdown field approach multi-gigabyte scale, making the practical risk low. But if the parser is embedded deep in an application framework or a third-party plugin with permissive upload policies, defenders should assume the crash path is reachable. Assume limits exist only after you verify them. (osv.dev)

Remediation​

The fix is straightforward in concept: reject inputs larger than INT_MAX before handing them to the native parser. The OSV entry says the guard should be added before the mkd_string() call in both public entry points, and the fixed version is 2.2.7.4. That is the sort of patch reviewers like because it changes behavior at the boundary rather than trying to make the parser itself reason about impossible lengths. (osv.dev)

What Administrators Should Do​

The first step is simple: identify every application or gem dependency that uses rdiscount. Then confirm whether the deployed version is older than 2.2.7.4. If it is, upgrade promptly and test any application paths that accept large Markdown bodies. (nvd.nist.gov)
The second step is to treat request size and upload size as security controls, not just performance controls. Even with the patch in place, limiting the maximum accepted content length reduces attack surface and protects adjacent components from oversized input abuse. Defense in depth matters more here than in a pure logic bug because the trigger is so easy to reason about. (osv.dev)

• Upgrade to rdiscount 2.2.7.4 or later.
• Audit any gems or services bundling the library indirectly.
• Enforce sane maximum input sizes at the application edge.
• Test rendering paths with large Markdown samples after patching.
• Restart affected worker processes if you suspect they have crashed repeatedly.

Why Input Validation Still Matters After Patching​

It is tempting to treat the patch as the end of the story, but that would be lazy. Native libraries age, dependencies drift, and regressions happen. A hard input cap protects against future parser bugs, reduces memory pressure, and keeps the service architecture simpler to reason about. The best crash is the one your application refuses to accept in the first place. (osv.dev)

Broader Lessons for C Extensions​

This vulnerability is a good reminder that C extensions in dynamic language ecosystems often hide the most fragile assumptions. Ruby may happily track enormous string lengths, while the underlying C library expects a 32-bit signed integer. When those worlds meet, the application can become vulnerable even if each layer seems safe on its own. (osv.dev)

The Signedness Trap​

The signedness problem is especially dangerous because it often appears as a harmless cast. Developers may think they are simply passing a length along, but the callee’s type can silently narrow the value and change the meaning of the data. Once that happens, the parser’s bookkeeping becomes unreliable, and memory safety goes out the window. (osv.dev)
This is not just a rdiscount problem. It is a recurring pattern across bindings, wrappers, and adapters for native code. Any time a high-level language hands a length, offset, count, or capacity into C, the boundary deserves explicit validation. Implicit conversion is not a validation strategy. (osv.dev)

• Watch for integer narrowing at API boundaries.
• Prefer explicit range checks before native calls.
• Treat buffer lengths and element counts as untrusted.
• Test with boundary values, not just normal-size fixtures.

Comparison With Similar Vulnerability Patterns​

Out-of-bounds reads are often discussed in the same breath as buffer overflows, but they deserve separate attention. A read bug may not immediately write attacker-controlled data into memory, yet it can still crash the process or leak limited information depending on context. In this case, the advisory specifically emphasizes a crash path, which is why availability is the headline risk. (osv.dev)

Why Availability-Only Bugs Still Matter​

In modern application stacks, service availability is often tied directly to revenue, user trust, or internal productivity. A parser crash that is easy to retrigger can become a nuisance attack, a disruption vector, or even a way to force operational intervention. The attacker does not need a flashy exploit if they can keep making the system fall over. (osv.dev)
That makes triage tricky. Some organizations over-prioritize CVEs based on whether they mention data exposure, but availability flaws can be just as urgent when they sit in a public request path. The right question is not just “Can it leak?” but “Can it stop the service from doing its job?” (nvd.nist.gov)

Platform and Supply Chain Considerations​

Because rdiscount is a gem, the exposure may be indirect. An application owner may not realize the library is present if it is pulled in by another framework, plugin, or internal component. That makes dependency inventory especially important, because patching only what is visible leaves supply-chain blind spots untouched. (osv.dev)

Hidden Dependencies Are the Real Problem​

The most realistic risk is not a developer intentionally choosing an outdated Markdown library. It is a larger product shipping a transitive dependency that nobody has audited recently. In that scenario, vulnerability management tools may detect the CVE while the code owners still need time to identify where the parser actually runs. (osv.dev)
That is also why library-level advisories need to be read carefully. A report that says “fixed in 2.2.7.4” is useful, but only if the operator can trace where the vulnerable version lives. Without that trace, the organization may have a false sense of safety while the bug remains reachable through one forgotten service. Inventory is part of remediation. (osv.dev)

Strengths and Opportunities​

The good news is that this vulnerability is well understood, narrowly scoped, and easy to remediate once discovered. That gives defenders a clean path to closure, and it offers maintainers a chance to improve guardrails around a class of bugs that often survives code review. It also provides a practical reminder to harden every language boundary where high-level and native code meet.

• The bug has a clear root cause, which makes remediation straightforward.
• The fixed release, 2.2.7.4, is explicitly identified.
• The issue is primarily availability-related, narrowing the impact model.
• The advisory gives concrete affected entry points for fast auditing.
• Teams can add input-size checks even before upgrading.
• Security scanners can use the CVE and GHSA identifiers to map exposure quickly.
• The case reinforces safer practices around integer conversion and bounds checks.

Risks and Concerns​

The biggest concern is that the issue may lurk in dependencies that do not advertise themselves as Markdown processors. A second concern is that oversized input handling is often inconsistent across services, so one part of the stack may be hardened while another still accepts enormous payloads. Finally, repeated crashes can have outsize operational cost even when the exploit itself is simple.

• Applications with public Markdown submission forms are the most exposed.
• Multi-tenant or shared-worker deployments can amplify the blast radius.
• Indirect dependencies may be overlooked during patching.
• Large-input fuzzing is often absent from routine QA.
• Worker restart loops can turn a crash into a sustained outage.
• Some organizations may underestimate a “medium” severity crash bug.
• Input limits set for performance may not be enforced as security controls.

Looking Ahead​

The next few days of response work will likely be less about discovering new exploit mechanics and more about finding every place rdiscount is reachable. That is usually how these advisories play out in real environments: the code fix is quick, but the dependency hunt takes time. Security and platform teams should expect that patch validation, inventory review, and restart planning will consume more effort than the actual upgrade. (osv.dev)
Longer term, this is another reminder that libraries handling untrusted text should treat length as an attack surface. Even mature parsers need explicit guards when they bridge languages with different integer models. The organizations that come out ahead are the ones that combine patching with better input policy, sharper dependency visibility, and routine boundary testing. That combination turns a CVE into a maintenance task instead of a production incident. (osv.dev)

• Confirm whether any service accepts Markdown inputs above INT_MAX.
• Patch to rdiscount 2.2.7.4 everywhere it is used.
• Add application-level maximum size enforcement.
• Re-run regression tests against large text inputs.
• Review other native extensions for similar truncation bugs.

In the end, CVE-2026-35201 is a reminder that seemingly ordinary text-processing libraries can become availability liabilities when native code and oversized input collide. The fix is simple, the affected version range is clear, and the likely impact is constrained to denial of service. But in systems that publish, render, or transform user content at scale, that is still enough to deserve immediate attention.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center