CVE-2026-46629 in Twig
Summary
by MITRE • 07/15/2026
Twig is a template language for PHP. Prior to 3.26.0, twig/intl-extra memoises IntlDateFormatter and NumberFormatter instances in arrays keyed by template-controlled filter arguments such as locale, pattern, and attrs, allowing a template to allocate many ICU formatter objects that remain pinned for the lifetime of the Twig\Environment. This issue is fixed in version 3.26.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability in Twig's intl-extra component represents a significant resource management flaw that enables memory exhaustion through template manipulation. This issue affects versions prior to 3.26.0 where the IntlDateFormatter and NumberFormatter instances are cached in arrays using template-controlled filter arguments as keys. The caching mechanism operates without proper bounds checking or cleanup mechanisms, allowing attackers to exploit this behavior by crafting malicious templates that repeatedly invoke formatting functions with varying parameters. This results in an unbounded accumulation of ICU formatter objects within the Twig environment's memory space, creating a persistent memory leak that can eventually lead to application crashes or denial of service conditions.
The technical implementation of this vulnerability stems from the memoization pattern used for IntlFormatter instances, which are expensive to create and maintain. When templates process data through formatting filters such as date and number formatters, the system caches these objects in arrays keyed by parameters like locale, pattern, and attributes. Since these keys are controlled by template content, an attacker can manipulate them to generate numerous unique cache entries. Each formatter instance consumes significant memory resources due to ICU library overhead, and once cached, these objects remain allocated for the entire lifetime of the Twig environment regardless of whether they are actively used or if their parameters change. This design flaw directly aligns with CWE-400, which describes "Uncontrolled Resource Consumption" and represents a classic case of resource leak in application frameworks.
The operational impact of this vulnerability extends beyond simple memory consumption issues to encompass potential system stability and availability concerns. An attacker can craft templates that systematically exhaust available memory resources by triggering the creation of numerous formatter instances through repeated filter invocations with different parameter combinations. This type of attack can be particularly effective against web applications that process user-supplied template content, as it allows for remote exploitation without requiring special privileges or complex attack chains. The vulnerability affects any application using Twig's intl-extra package and processing templates from untrusted sources, making it a critical concern for content management systems, web applications, and any PHP platform relying on internationalization features. The memory exhaustion typically manifests as gradual performance degradation followed by complete application failure when system resources are exhausted.
Mitigation strategies for this vulnerability require both immediate patching and architectural considerations to prevent similar issues in the future. The primary solution involves upgrading to Twig version 3.26.0 or later, where the caching mechanism has been modified to prevent indefinite accumulation of formatter instances. Organizations should implement comprehensive testing procedures to verify that the patched version resolves the memory leak while maintaining expected functionality. Additionally, developers should enforce strict template validation and sanitization processes to prevent malicious content from reaching the template processing layer. Security teams should consider implementing monitoring solutions that track memory usage patterns in applications using intl-extra components to detect anomalous resource consumption. This vulnerability highlights the importance of proper resource lifecycle management in framework components and aligns with ATT&CK technique T1499.001, which covers "Resource Exhaustion" through memory manipulation techniques. The fix demonstrates industry best practices for preventing uncontrolled resource consumption by implementing appropriate cache eviction policies and ensuring that cached objects do not persist beyond their useful lifetime within the application environment.