CVE-2026-40319
CWE-1333Published: April 17, 2026· Updated: Apr 17, 2026
Official Description
Giskard is an open-source testing framework for AI models. In versions prior to 1.0.2b1, the RegexMatching check passes a user-supplied regular expression pattern directly to Python's re.search() without any timeout or complexity guard. A crafted regex pattern can trigger catastrophic backtracking, causing the process to hang indefinitely. Exploitation requires write access to a check definition and subsequent execution of the test suite. This issue has been fixed in giskard-checks version 1.0.2b1.
Technical Analysis
CVE-2026-40319 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
All References (2)
Quick Facts
Related CVEs (CWE-1333)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-40319 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts