Common Weakness Enumeration

CWE-400

Discouraged

Uncontrolled Resource Consumption

Abstraction: Class · Status: Draft

The product does not properly control the allocation and maintenance of a limited resource.

5417 vulnerabilities reference this CWE, most recent first.

CVE-2026-47479 (GCVE-0-2026-47479)

Vulnerability from cvelistv5 – Published: 2026-07-14 19:46 – Updated: 2026-07-15 14:36
VLAI
Summary
NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
Impacted products
Vendor Product Version
NVIDIA Triton Inference Server Affected: 0.0 , ≤ 26.04 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47479",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-15T14:36:51.521837Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T14:36:59.344Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Triton Inference Server",
          "vendor": "NVIDIA",
          "versions": [
            {
              "lessThanOrEqual": "26.04",
              "status": "affected",
              "version": "0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service."
            }
          ],
          "value": "NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T19:46:57.144Z",
        "orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
        "shortName": "nvidia"
      },
      "references": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47479"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47479"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
    "assignerShortName": "nvidia",
    "cveId": "CVE-2026-47479",
    "datePublished": "2026-07-14T19:46:57.144Z",
    "dateReserved": "2026-05-19T19:55:38.728Z",
    "dateUpdated": "2026-07-15T14:36:59.344Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47476 (GCVE-0-2026-47476)

Vulnerability from cvelistv5 – Published: 2026-07-14 19:43 – Updated: 2026-07-15 14:07
VLAI
Summary
NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
Impacted products
Vendor Product Version
NVIDIA Triton Inference Server Affected: 0.0 , ≤ 26.04 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47476",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-15T14:07:19.323542Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T14:07:29.600Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Triton Inference Server",
          "vendor": "NVIDIA",
          "versions": [
            {
              "lessThanOrEqual": "26.04",
              "status": "affected",
              "version": "0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service."
            }
          ],
          "value": "NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Denial of Service"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-14T19:43:39.115Z",
        "orgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
        "shortName": "nvidia"
      },
      "references": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47476"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47476"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9576f279-3576-44b5-a4af-b9a8644b2de6",
    "assignerShortName": "nvidia",
    "cveId": "CVE-2026-47476",
    "datePublished": "2026-07-14T19:43:39.115Z",
    "dateReserved": "2026-05-19T19:55:38.728Z",
    "dateUpdated": "2026-07-15T14:07:29.600Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47262 (GCVE-0-2026-47262)

Vulnerability from cvelistv5 – Published: 2026-07-01 17:48 – Updated: 2026-07-01 18:34
VLAI
Title
containerd image-triggered runtime DoS via unbounded group parsing
Summary
containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
Vendor Product Version
containerd containerd Affected: >= 1.7.0, < 1.7.33
Affected: >= 2.0.0, < 2.0.10
Affected: >= 2.1.0, < 2.1.9
Affected: >= 2.2.0, < 2.2.5
Affected: >= 2.3.0, < 2.3.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47262",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T18:33:54.105358Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T18:34:06.714Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "containerd",
          "vendor": "containerd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.7.0, \u003c 1.7.33"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.0.10"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.1.0, \u003c 2.1.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.2.0, \u003c 2.2.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.3.0, \u003c 2.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "containerd is an open-source container runtime. Versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2, contain a vulnerability that allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unavailable and can disrupt clients such as the Docker Engine or Kubernetes control-plane components. This issue has been fixed in versions 1.7.33, 2.0.10, 2.1.9, 2.2.5 and 2.3.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T17:48:43.205Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq"
        }
      ],
      "source": {
        "advisory": "GHSA-jpcc-p29g-p8mq",
        "discovery": "UNKNOWN"
      },
      "title": "containerd image-triggered runtime DoS via unbounded group parsing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47262",
    "datePublished": "2026-07-01T17:48:43.205Z",
    "dateReserved": "2026-05-18T23:03:37.229Z",
    "dateUpdated": "2026-07-01T18:34:06.714Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47244 (GCVE-0-2026-47244)

Vulnerability from cvelistv5 – Published: 2026-06-12 14:23 – Updated: 2026-06-12 14:59
VLAI
Title
Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
Summary
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
Impacted products
Vendor Product Version
netty netty Affected: >= 4.2.0.Final, < 4.2.15.Final
Affected: < 4.1.135.Final
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47244",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-12T14:59:00.141106Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-12T14:59:15.823Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Final, \u003c 4.2.15.Final"
            },
            {
              "status": "affected",
              "version": "\u003c 4.1.135.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-12T14:23:50.316Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-5x3r-wrvg-rp6q"
        },
        {
          "name": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
        },
        {
          "name": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
        }
      ],
      "source": {
        "advisory": "GHSA-5x3r-wrvg-rp6q",
        "discovery": "UNKNOWN"
      },
      "title": "Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47244",
    "datePublished": "2026-06-12T14:23:50.316Z",
    "dateReserved": "2026-05-18T22:54:18.272Z",
    "dateUpdated": "2026-06-12T14:59:15.823Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47214 (GCVE-0-2026-47214)

Vulnerability from cvelistv5 – Published: 2026-06-26 15:45 – Updated: 2026-06-26 18:41
VLAI
Title
Docling: Unsafe URI and Path Handling in HTML Backend
Summary
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-73 - External Control of File Name or Path
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
Vendor Product Version
docling-project docling Affected: < 2.94.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47214",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T17:50:33.103623Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T18:41:52.977Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "docling",
          "vendor": "docling-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.94.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73: External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T15:45:04.659Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/docling-project/docling/security/advisories/GHSA-q29v-xc37-wh5m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/docling-project/docling/security/advisories/GHSA-q29v-xc37-wh5m"
        },
        {
          "name": "https://github.com/docling-project/docling/releases/tag/v2.94.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/docling-project/docling/releases/tag/v2.94.0"
        }
      ],
      "source": {
        "advisory": "GHSA-q29v-xc37-wh5m",
        "discovery": "UNKNOWN"
      },
      "title": "Docling: Unsafe URI and Path Handling in HTML Backend"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47214",
    "datePublished": "2026-06-26T15:45:04.659Z",
    "dateReserved": "2026-05-18T22:25:21.258Z",
    "dateUpdated": "2026-06-26T18:41:52.977Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47077 (GCVE-0-2026-47077)

Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-27 15:40
VLAI
Title
Unbounded body accumulation in HTTP/3 response loop in hackney
Summary
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame — it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition. This issue affects hackney: from 2.0.0 before 4.0.1.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
EEF
Impacted products
Vendor Product Version
benoitc hackney Affected: 2.0.0 , < 4.0.1 (semver)
    cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Create a notification for this product.
benoitc hackney Affected: 0334af206d5099fdf510ed9eda18e34396f065ad , < 3d25f9fea26c90609de9d64366fedfe5065413bc (git)
    cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Benoit Chesneau Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47077",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T15:47:51.427632Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T15:47:54.752Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/benoitc/hackney/security/advisories/GHSA-jq4m-q6p2-8gwc"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "hackney_h3"
          ],
          "packageName": "hackney",
          "packageURL": "pkg:hex/hackney",
          "product": "hackney",
          "programFiles": [
            "src/hackney_h3.erl"
          ],
          "programRoutines": [
            {
              "name": "hackney_h3:await_response_loop/6"
            }
          ],
          "repo": "https://github.com/benoitc/hackney",
          "vendor": "benoitc",
          "versions": [
            {
              "lessThan": "4.0.1",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "hackney_h3"
          ],
          "packageName": "benoitc/hackney",
          "packageURL": "pkg:github/benoitc/hackney",
          "product": "hackney",
          "programFiles": [
            "src/hackney_h3.erl"
          ],
          "programRoutines": [
            {
              "name": "hackney_h3:await_response_loop/6"
            }
          ],
          "repo": "https://github.com/benoitc/hackney",
          "vendor": "benoitc",
          "versions": [
            {
              "lessThan": "3d25f9fea26c90609de9d64366fedfe5065413bc",
              "status": "affected",
              "version": "0334af206d5099fdf510ed9eda18e34396f065ad",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The application must use the HTTP/3 transport by calling \u003ctt\u003ehackney_h3\u003c/tt\u003e directly or by passing \u003ctt\u003e{transport, h3}\u003c/tt\u003e to \u003ctt\u003ehackney:request/5\u003c/tt\u003e. The default hackney transport (TCP/TLS) is not affected."
            }
          ],
          "value": "The application must use the HTTP/3 transport by calling hackney_h3 directly or by passing {transport, h3} to hackney:request/5. The default hackney transport (TCP/TLS) is not affected."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.0.1",
                  "versionStartIncluding": "2.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Benoit Chesneau"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding.\u003cp\u003e\u003ctt\u003ehackney_h3:await_response_loop/6\u003c/tt\u003e accumulates the HTTP/3 response body in memory without any size cap. The \u003ctt\u003eafter Timeout\u003c/tt\u003e clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame \u2014 it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every \u003ctt\u003eTimeout - 1\u003c/tt\u003e ms with \u003ctt\u003eFin = false\u003c/tt\u003e and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 2.0.0 before 4.0.1.\u003c/p\u003e"
            }
          ],
          "value": "Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame \u2014 it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition.\n\nThis issue affects hackney: from 2.0.0 before 4.0.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-125",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-125 Flooding"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:40:53.384Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/benoitc/hackney/security/advisories/GHSA-jq4m-q6p2-8gwc"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-47077.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-47077"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/benoitc/hackney/commit/3d25f9fea26c90609de9d64366fedfe5065413bc"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Unbounded body accumulation in HTTP/3 response loop in hackney",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-47077",
    "datePublished": "2026-05-25T14:00:42.217Z",
    "dateReserved": "2026-05-18T17:28:10.319Z",
    "dateUpdated": "2026-05-27T15:40:53.384Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47073 (GCVE-0-2026-47073)

Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-27 15:41
VLAI
Title
Unbounded memory consumption in WebSocket client in hackney
Summary
Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption in three code paths. First, read_handshake_response/3 accumulates received bytes into a growing buffer with no size cap; the per-receive timeout resets on every chunk, so a server that streams bytes without ever sending \r\n\r\n causes the buffer to grow until memory is exhausted. Second, parse_payload/9 and parse_active_payload/8 do not validate the declared frame payload length against any limit; because RFC 6455 allows payload lengths up to 2^63-1 bytes, a server that announces a very large frame and dribbles bytes causes the accumulation buffer to grow until OOM. Third, the frag_buffer field in #ws_data{} accumulates continuation frames indefinitely; a server that sends an endless stream of non-final (nofin) fragmented frames without ever sending a final (fin) frame grows frag_buffer without bound. In all three cases the attacker only needs to control the WebSocket server the hackney client connects to, with no authentication or special client configuration required. This issue affects hackney: from 2.0.0 before 4.0.1.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
EEF
Impacted products
Vendor Product Version
benoitc hackney Affected: 2.0.0 , < 4.0.1 (semver)
    cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Create a notification for this product.
benoitc hackney Affected: 690cecaf236fba49526da404a5bc889a24367a3e , < ce0109e2970ace6e20ff29bae9d05c3ac22ec6dc (git)
    cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Benoit Chesneau Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47073",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T15:44:41.043069Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T15:44:44.796Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/benoitc/hackney/security/advisories/GHSA-q8jg-fgj4-fphf"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "hackney_ws"
          ],
          "packageName": "hackney",
          "packageURL": "pkg:hex/hackney",
          "product": "hackney",
          "programFiles": [
            "src/hackney_ws.erl"
          ],
          "programRoutines": [
            {
              "name": "hackney_ws:read_handshake_response/3"
            },
            {
              "name": "hackney_ws:parse_payload/9"
            },
            {
              "name": "hackney_ws:parse_active_payload/8"
            }
          ],
          "repo": "https://github.com/benoitc/hackney",
          "vendor": "benoitc",
          "versions": [
            {
              "lessThan": "4.0.1",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "hackney_ws"
          ],
          "packageName": "benoitc/hackney",
          "packageURL": "pkg:github/benoitc/hackney",
          "product": "hackney",
          "programFiles": [
            "src/hackney_ws.erl"
          ],
          "programRoutines": [
            {
              "name": "hackney_ws:read_handshake_response/3"
            },
            {
              "name": "hackney_ws:parse_payload/9"
            },
            {
              "name": "hackney_ws:parse_active_payload/8"
            }
          ],
          "repo": "https://github.com/benoitc/hackney",
          "vendor": "benoitc",
          "versions": [
            {
              "lessThan": "ce0109e2970ace6e20ff29bae9d05c3ac22ec6dc",
              "status": "affected",
              "version": "690cecaf236fba49526da404a5bc889a24367a3e",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.0.1",
                  "versionStartIncluding": "2.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Benoit Chesneau"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding.\u003cp\u003eThe WebSocket client in \u003ctt\u003esrc/hackney_ws.erl\u003c/tt\u003e imposes no upper bound on memory consumption in three code paths. First, \u003ctt\u003eread_handshake_response/3\u003c/tt\u003e accumulates received bytes into a growing buffer with no size cap; the per-receive timeout resets on every chunk, so a server that streams bytes without ever sending \u003ctt\u003e\\r\\n\\r\\n\u003c/tt\u003e causes the buffer to grow until memory is exhausted. Second, \u003ctt\u003eparse_payload/9\u003c/tt\u003e and \u003ctt\u003eparse_active_payload/8\u003c/tt\u003e do not validate the declared frame payload length against any limit; because RFC 6455 allows payload lengths up to 2\u207b\u00b9\u2013\u00b9 bytes, a server that announces a very large frame and dribbles bytes causes the accumulation buffer to grow until OOM. Third, the \u003ctt\u003efrag_buffer\u003c/tt\u003e field in \u003ctt\u003e#ws_data{}\u003c/tt\u003e accumulates continuation frames indefinitely; a server that sends an endless stream of non-final (\u003ctt\u003enofin\u003c/tt\u003e) fragmented frames without ever sending a final (\u003ctt\u003efin\u003c/tt\u003e) frame grows \u003ctt\u003efrag_buffer\u003c/tt\u003e without bound.\u003c/p\u003e\u003cp\u003eIn all three cases the attacker only needs to control the WebSocket server the hackney client connects to, with no authentication or special client configuration required.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 2.0.0 before 4.0.1.\u003c/p\u003e"
            }
          ],
          "value": "Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption in three code paths. First, read_handshake_response/3 accumulates received bytes into a growing buffer with no size cap; the per-receive timeout resets on every chunk, so a server that streams bytes without ever sending \\r\\n\\r\\n causes the buffer to grow until memory is exhausted. Second, parse_payload/9 and parse_active_payload/8 do not validate the declared frame payload length against any limit; because RFC 6455 allows payload lengths up to 2^63-1 bytes, a server that announces a very large frame and dribbles bytes causes the accumulation buffer to grow until OOM. Third, the frag_buffer field in #ws_data{} accumulates continuation frames indefinitely; a server that sends an endless stream of non-final (nofin) fragmented frames without ever sending a final (fin) frame grows frag_buffer without bound.\n\nIn all three cases the attacker only needs to control the WebSocket server the hackney client connects to, with no authentication or special client configuration required.\n\nThis issue affects hackney: from 2.0.0 before 4.0.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-125",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-125 Flooding"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:41:30.606Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/benoitc/hackney/security/advisories/GHSA-q8jg-fgj4-fphf"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-47073.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-47073"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/benoitc/hackney/commit/ce0109e2970ace6e20ff29bae9d05c3ac22ec6dc"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Unbounded memory consumption in WebSocket client in hackney",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-47073",
    "datePublished": "2026-05-25T14:00:49.112Z",
    "dateReserved": "2026-05-18T17:28:08.322Z",
    "dateUpdated": "2026-05-27T15:41:30.606Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47071 (GCVE-0-2026-47071)

Vulnerability from cvelistv5 – Published: 2026-05-25 14:00 – Updated: 2026-05-27 15:40
VLAI
Title
SOCKS5 TLS upgrade ignores caller timeout in hackney
Summary
Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller. This issue affects hackney: from 0.10.0 before 4.0.1.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
Assigner
EEF
Impacted products
Vendor Product Version
benoitc hackney Affected: 0.10.0 , < 4.0.1 (semver)
    cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Create a notification for this product.
benoitc hackney Affected: 34cdbd1d20a282aacc286a89327465a3925b4c5d , < 5ccdab725c561a6f03d05a51f2d0664f98236dae (git)
    cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Peter Ullrich Benoit Chesneau Jonatan Männchen / EEF
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47071",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-26T15:48:41.704626Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-26T15:48:45.842Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/benoitc/hackney/security/advisories/GHSA-gp9c-pm5m-5cxr"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.hex.pm",
          "cpes": [
            "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "hackney_socks5"
          ],
          "packageName": "hackney",
          "packageURL": "pkg:hex/hackney",
          "product": "hackney",
          "programFiles": [
            "src/hackney_socks5.erl"
          ],
          "programRoutines": [
            {
              "name": "hackney_socks5:connect/4"
            }
          ],
          "repo": "https://github.com/benoitc/hackney",
          "vendor": "benoitc",
          "versions": [
            {
              "lessThan": "4.0.1",
              "status": "affected",
              "version": "0.10.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "modules": [
            "hackney_socks5"
          ],
          "packageName": "benoitc/hackney",
          "packageURL": "pkg:github/benoitc/hackney",
          "product": "hackney",
          "programFiles": [
            "src/hackney_socks5.erl"
          ],
          "programRoutines": [
            {
              "name": "hackney_socks5:connect/4"
            }
          ],
          "repo": "https://github.com/benoitc/hackney",
          "vendor": "benoitc",
          "versions": [
            {
              "lessThan": "5ccdab725c561a6f03d05a51f2d0664f98236dae",
              "status": "affected",
              "version": "34cdbd1d20a282aacc286a89327465a3925b4c5d",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.0.1",
                  "versionStartIncluding": "0.10.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "AND"
            }
          ],
          "operator": "AND"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Peter Ullrich"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Benoit Chesneau"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jonatan M\u00e4nnchen / EEF"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding.\u003cp\u003eThe SOCKS5 transport in \u003ctt\u003esrc/hackney_socks5.erl\u003c/tt\u003e correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form \u003ctt\u003essl:connect/2\u003c/tt\u003e, which defaults to an infinite timeout. The \u003ctt\u003eTimeout\u003c/tt\u003e value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the \u003ctt\u003econnect_timeout\u003c/tt\u003e or \u003ctt\u003erecv_timeout\u003c/tt\u003e options supplied by the caller.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 0.10.0 before 4.0.1.\u003c/p\u003e"
            }
          ],
          "value": "Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller.\n\nThis issue affects hackney: from 0.10.0 before 4.0.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:40:48.584Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/benoitc/hackney/security/advisories/GHSA-gp9c-pm5m-5cxr"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-47071.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-47071"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/benoitc/hackney/commit/5ccdab725c561a6f03d05a51f2d0664f98236dae"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "SOCKS5 TLS upgrade ignores caller timeout in hackney",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-47071",
    "datePublished": "2026-05-25T14:00:41.112Z",
    "dateReserved": "2026-05-18T17:28:08.322Z",
    "dateUpdated": "2026-05-27T15:40:48.584Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46689 (GCVE-0-2026-46689)

Vulnerability from cvelistv5 – Published: 2026-06-10 20:28 – Updated: 2026-06-11 12:55
VLAI
Title
Kanidm: Unauthenticated process abort via SCIM filter stack exhaustion
Summary
Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort() — the entire kanidmd process exits. The parse runs inside axum's Query<ScimEntryGetQuery> extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-248 - Uncaught Exception
  • CWE-400 - Uncontrolled Resource Consumption
  • CWE-674 - Uncontrolled Recursion
Assigner
References
Impacted products
Vendor Product Version
kanidm kanidm Affected: < 1.9.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-46689",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-11T12:55:52.379516Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T12:55:59.122Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/kanidm/kanidm/security/advisories/GHSA-r5fr-9gmv-jggh"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kanidm",
          "vendor": "kanidm",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.9.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (\u2248 4\u201312 KB) drives the recursive-descent PEG parser past the worker thread\u0027s stack guard page. Rust responds to stack overflow with std::process::abort() \u2014 the entire kanidmd process exits. The parse runs inside axum\u0027s Query\u003cScimEntryGetQuery\u003e extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T20:28:44.009Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kanidm/kanidm/security/advisories/GHSA-r5fr-9gmv-jggh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kanidm/kanidm/security/advisories/GHSA-r5fr-9gmv-jggh"
        },
        {
          "name": "https://github.com/kanidm/kanidm/releases/tag/v1.9.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kanidm/kanidm/releases/tag/v1.9.3"
        }
      ],
      "source": {
        "advisory": "GHSA-r5fr-9gmv-jggh",
        "discovery": "UNKNOWN"
      },
      "title": "Kanidm: Unauthenticated process abort via SCIM filter stack exhaustion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-46689",
    "datePublished": "2026-06-10T20:28:44.009Z",
    "dateReserved": "2026-05-15T21:46:51.548Z",
    "dateUpdated": "2026-06-11T12:55:59.122Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-46679 (GCVE-0-2026-46679)

Vulnerability from cvelistv5 – Published: 2026-06-10 21:08 – Updated: 2026-06-11 14:18
VLAI
Title
libp2p: Memory DoS via subscription flood of unique topics
Summary
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-20 - Improper Input Validation
  • CWE-400 - Uncontrolled Resource Consumption
  • CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
Impacted products
Vendor Product Version
libp2p js-libp2p Affected: < 15.0.23
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-46679",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-11T14:18:10.380346Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T14:18:41.039Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-4f8r-922h-2vgv"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "js-libp2p",
          "vendor": "libp2p",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 15.0.23"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T21:08:52.464Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-4f8r-922h-2vgv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/libp2p/js-libp2p/security/advisories/GHSA-4f8r-922h-2vgv"
        }
      ],
      "source": {
        "advisory": "GHSA-4f8r-922h-2vgv",
        "discovery": "UNKNOWN"
      },
      "title": "libp2p: Memory DoS via subscription flood of unique topics"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-46679",
    "datePublished": "2026-06-10T21:08:52.464Z",
    "dateReserved": "2026-05-15T21:46:51.547Z",
    "dateUpdated": "2026-06-11T14:18:41.039Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation
Architecture and Design

Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.

Mitigation
Architecture and Design
  • Mitigation of resource exhaustion attacks requires that the target system either:
  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
  • The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
  • recognizes the attack and denies that user further access for a given amount of time, or
  • uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Architecture and Design

Ensure that protocols have specific limits of scale placed on them.

Mitigation
Implementation

Ensure that all failures in resource allocation place the system into a safe posture.

CAPEC-147: XML Ping of the Death

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

CAPEC-227: Sustained Client Engagement

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.