Inefficient Regular Expression Complexity Affecting pcs package, versions *


Severity

Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

Social Trends
EPSS
0.35% (27th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL8-PCS-15885496
  • published4 Apr 2026
  • disclosed26 Mar 2026

Introduced: 26 Mar 2026

CVE-2026-4923  (opens in a new tab)
CWE-1333  (opens in a new tab)

How to fix?

There is no fixed version for RHEL:8 pcs.

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcs package and not the pcs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Impact:

When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.

Unsafe examples:

/*foo-*bar-:baz /*a-:b-*c-:d /x/*a-:b/*c/y

Safe examples:

/*foo-:bar /*foo-:bar-*baz

Patches:

Upgrade to version 8.4.0.

Workarounds:

If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.

CVSS Base Scores

version 3.1