CVE-2026-40319

Description

## Summary The RegexMatching check in the `giskard-checks` package passes a user-supplied regular expression pattern directly to Python's re.search() without any timeout, complexity guard, or pattern validation. An attacker who can control the regex pattern or the text being matched can craft inputs that trigger catastrophic backtracking in the regex engine, causing the process to hang indefinitely and denying service to all other operations. `giskard-checks` is a local developer testing library. Check definitions, including the pattern parameter, are provided in application code or configuration files and executed locally. Exploitation requires write access to a check definition and subsequent execution of the test suite. The absence of a regex timeout could cause availability issues in automated environments such as CI/CD pipelines. ## Affected component `text_matching.py`, line 457: `re.search(pattern, text)` ## Remediation Upgrade to `giskard-checks` >= 1.0.2b1. ## Credit Giskard-AI thanks @dhabaleshwar for identifying the missing timeout on regex evaluation.

How to fix CVE-2026-40319

To remediate CVE-2026-40319, upgrade the affected package to a fixed version below.

—upgrade to 1.0.2b1 or later

Is CVE-2026-40319 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.2b1

CVSS scores

Source	Version

osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H