CVE-2026-35201

Name of the Vulnerable Software and Affected Versions Discount versions 1.3.1.1 through 2.2.7.3

Description A signed length truncation bug causes an out-of-bounds read in the default Markdown parse path. Inputs larger than INT MAX are truncated to a signed int before entering the native parser, allowing the parser to read past the end of the supplied buffer and crash the process. This issue affects the RDiscount.new(input).to html and RDiscount.new(input).toc content APIs. The vulnerability occurs because RSTRING LEN(text) is passed directly into mkd string(), which accepts an int len. The parser stores the remaining input length in a signed int, and if the Ruby string length exceeds INT MAX, the value can truncate to a negative int, leading to the out-of-bounds read.

Recommendations Update to version 2.2.7.4 or later.