CVE-2026-53531

MEDIUMPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

ratex-parser has unbounded parser recursion that leads to stack overflow (process abort)

Summary

RaTeX’s recursive-descent parser recurses one (or more) native stack frame per nesting level at {, \left, \sqrt{, ^{, etc, with no maximum depth limit. A short, ~10 KB input of nested groups overflows the 8 MB main-thread stack and aborts the process. With panic = "abort" (Cargo.toml:48), and because a Rust stack overflow is always a fatal SIGABRT regardless of panic strategy this is an unrecoverable, whole-process denial of service reachable from a single untrusted LaTeX string.

Details

The mutual recursion has no depth guard (crates/ratex-parser/src/parser.rs):

parse_expression (:113)  ->  parse_atom (:281/285)  ->  parse_group (:451)
                                  ^                          |
                                  |   on '{' (:459) recurse  |
                                  +--------------------------+

\left adds another recursive edge: handle_leftparse_expression (crates/ratex-parser/src/functions/left_right.rs:47). The only counters present are unrelated to depth: leftright_depth (a \right-matching counter, parser.rs:24) and the macro expander’s max_expand = 1000 (macro_expander.rs:64), which does not gate brace / \left recursion (those tokens never pass through expand_once). There is no recursion_limit/depth parameter on parse_group, parse_expression, or parse_atom.

PoC

$ python3 -c 'import sys;sys.stdout.write("{"*200000+"x"+"}"*200000)' | ./target/release/parse
thread 'main' has overflowed its stack
fatal runtime error: stack overflow, aborting
Aborted (core dumped)            # exit 134

(Other nesting forms work equally, e.g. \left(×N, \sqrt{×N, ^{×N.)

Impact

A single small request crashes the whole RaTeX process. In a typical server-side math-rendering service this is a reliable, unauthenticated DoS; on smaller worker-thread stacks (e.g. a 512 KB async runtime thread) only a few hundred bytes of nesting are required.

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 7, 2026

Last Modified

July 7, 2026

Vendor Advisories for CVE-2026-53531(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Frequently asked(3)

What is CVE-2026-53531?
CVE-2026-53531 is a medium vulnerability published on July 7, 2026. ratex-parser has unbounded parser recursion that leads to stack overflow (process abort) Summary RaTeX’s recursive-descent parser recurses one (or more) native stack frame per nesting level at {, \left, \sqrt{, ^{, etc, with no maximum depth limit. A short, ~10 KB input of nested groups overflows…
When was CVE-2026-53531 disclosed?
CVE-2026-53531 was first published in the National Vulnerability Database on July 7, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-53531?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-53531, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-53531

Explore →

Is Your Infrastructure Affected by CVE-2026-53531?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.