CWE-789
Memory Allocation with Excessive Size Value
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CVE-2026-40303 (GCVE-0-2026-40303)
Vulnerability from cvelistv5 – Published: 2026-04-17 21:01 – Updated: 2026-04-20 16:19
VLAI
Title
zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing
Summary
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.
Severity
7.5 (High)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/openziti/zrok/security/advisor… | x_refsource_CONFIRM |
| https://github.com/openziti/zrok/releases/tag/v2.0.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40303",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T16:18:59.334800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T16:19:07.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "zrok",
"vendor": "openziti",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T21:01:51.899Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9"
},
{
"name": "https://github.com/openziti/zrok/releases/tag/v2.0.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openziti/zrok/releases/tag/v2.0.1"
}
],
"source": {
"advisory": "GHSA-cpf9-ph2j-ccr9",
"discovery": "UNKNOWN"
},
"title": "zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40303",
"datePublished": "2026-04-17T21:01:51.899Z",
"dateReserved": "2026-04-10T20:22:44.036Z",
"dateUpdated": "2026-04-20T16:19:07.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40891 (GCVE-0-2026-40891)
Vulnerability from cvelistv5 – Published: 2026-04-23 17:54 – Updated: 2026-04-23 18:23
VLAI
Title
OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling
Summary
OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2.
Severity
5.3 (Medium)
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-d… | x_refsource_CONFIRM |
| https://github.com/open-telemetry/opentelemetry-d… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-d… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-dotnet |
Affected:
>= 1.13.1, < 1.15.3
|
|
| open-telemetry | OpenTelemetry.Exporter.OpenTelemetryProtocol |
Affected:
>= 1.13.1, < 1.15.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T18:22:43.489569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T18:23:08.858Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-dotnet",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.13.1, \u003c 1.15.3"
}
]
},
{
"product": "OpenTelemetry.Exporter.OpenTelemetryProtocol",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.13.1, \u003c 1.15.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T17:54:36.033Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064"
}
],
"source": {
"advisory": "GHSA-mr8r-92fq-pj8p",
"discovery": "UNKNOWN"
},
"title": "OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40891",
"datePublished": "2026-04-23T17:54:36.033Z",
"dateReserved": "2026-04-15T16:37:22.766Z",
"dateUpdated": "2026-04-23T18:23:08.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40894 (GCVE-0-2026-40894)
Vulnerability from cvelistv5 – Published: 2026-04-23 18:03 – Updated: 2026-04-23 19:22
VLAI
Title
OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers
Summary
OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.
Severity
5.3 (Medium)
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-d… | x_refsource_CONFIRM |
| https://github.com/open-telemetry/opentelemetry-d… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-d… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-d… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-d… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-d… | x_refsource_MISC |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-dotnet |
Affected:
>= 0.5.0-beta.2, < 1.15.3
|
|
| open-telemetry | OpenTelemetry.Api |
Affected:
>= 0.5.0-beta.2, < 1.15.3
|
|
| open-telemetry | OpenTelemetry.Extensions.Propagators |
Affected:
>= 1.3.1, < 1.15.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T19:22:40.530419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T19:22:47.268Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-dotnet",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.5.0-beta.2, \u003c 1.15.3"
}
]
},
{
"product": "OpenTelemetry.Api",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.5.0-beta.2, \u003c 1.15.3"
}
]
},
{
"product": "OpenTelemetry.Extensions.Propagators",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.1, \u003c 1.15.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T18:03:28.211Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061"
}
],
"source": {
"advisory": "GHSA-g94r-2vxg-569j",
"discovery": "UNKNOWN"
},
"title": "OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40894",
"datePublished": "2026-04-23T18:03:28.211Z",
"dateReserved": "2026-04-15T16:37:22.766Z",
"dateUpdated": "2026-04-23T19:22:47.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41312 (GCVE-0-2026-41312)
Vulnerability from cvelistv5 – Published: 2026-04-22 21:02 – Updated: 2026-04-23 13:45
VLAI
Title
pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM
Summary
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
Severity
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/py-pdf/pypdf/security/advisori… | x_refsource_CONFIRM |
| https://github.com/py-pdf/pypdf/pull/3734 | x_refsource_MISC |
| https://github.com/py-pdf/pypdf/commit/ac734dab4e… | x_refsource_MISC |
| https://github.com/py-pdf/pypdf/releases/tag/6.10.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41312",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T13:45:18.970091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T13:45:30.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pypdf",
"vendor": "py-pdf",
"versions": [
{
"status": "affected",
"version": "\u003c 6.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T21:04:22.958Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-7gw9-cf7v-778f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-7gw9-cf7v-778f"
},
{
"name": "https://github.com/py-pdf/pypdf/pull/3734",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/py-pdf/pypdf/pull/3734"
},
{
"name": "https://github.com/py-pdf/pypdf/commit/ac734dab4eef92bcce50d503949b4d9887d89f11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/py-pdf/pypdf/commit/ac734dab4eef92bcce50d503949b4d9887d89f11"
},
{
"name": "https://github.com/py-pdf/pypdf/releases/tag/6.10.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/py-pdf/pypdf/releases/tag/6.10.2"
}
],
"source": {
"advisory": "GHSA-7gw9-cf7v-778f",
"discovery": "UNKNOWN"
},
"title": "pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41312",
"datePublished": "2026-04-22T21:02:53.156Z",
"dateReserved": "2026-04-20T14:01:46.671Z",
"dateUpdated": "2026-04-23T13:45:30.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41314 (GCVE-0-2026-41314)
Vulnerability from cvelistv5 – Published: 2026-04-22 21:08 – Updated: 2026-04-23 14:21
VLAI
Title
pypdf: Manipulated FlateDecode image dimensions can exhaust RAM
Summary
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
Severity
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/py-pdf/pypdf/security/advisori… | x_refsource_CONFIRM |
| https://github.com/py-pdf/pypdf/pull/3734 | x_refsource_MISC |
| https://github.com/py-pdf/pypdf/commit/ac734dab4e… | x_refsource_MISC |
| https://github.com/py-pdf/pypdf/releases/tag/6.10.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41314",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T14:21:23.056055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:21:47.589Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pypdf",
"vendor": "py-pdf",
"versions": [
{
"status": "affected",
"version": "\u003c 6.10.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T21:08:14.700Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-x284-j5p8-9c5p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-x284-j5p8-9c5p"
},
{
"name": "https://github.com/py-pdf/pypdf/pull/3734",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/py-pdf/pypdf/pull/3734"
},
{
"name": "https://github.com/py-pdf/pypdf/commit/ac734dab4eef92bcce50d503949b4d9887d89f11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/py-pdf/pypdf/commit/ac734dab4eef92bcce50d503949b4d9887d89f11"
},
{
"name": "https://github.com/py-pdf/pypdf/releases/tag/6.10.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/py-pdf/pypdf/releases/tag/6.10.2"
}
],
"source": {
"advisory": "GHSA-x284-j5p8-9c5p",
"discovery": "UNKNOWN"
},
"title": "pypdf: Manipulated FlateDecode image dimensions can exhaust RAM"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41314",
"datePublished": "2026-04-22T21:08:14.700Z",
"dateReserved": "2026-04-20T14:01:46.671Z",
"dateUpdated": "2026-04-23T14:21:47.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42146 (GCVE-0-2026-42146)
Vulnerability from cvelistv5 – Published: 2026-05-04 17:53 – Updated: 2026-05-06 13:44
VLAI
Title
CImg Library: Uncontrolled memory allocation via nb_colors field in _load_bmp
Summary
CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5.
Severity
5.5 (Medium)
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/GreycLab/CImg/security/advisor… | x_refsource_CONFIRM |
| https://github.com/GreycLab/CImg/issues/477 | x_refsource_MISC |
| https://github.com/GreycLab/CImg/commit/c3aacf5b9… | x_refsource_MISC |
| https://github.com/GreycLab/CImg/releases/tag/v.3.7.5 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42146",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T13:43:28.189688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T13:44:14.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/GreycLab/CImg/issues/477"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CImg",
"vendor": "GreycLab",
"versions": [
{
"status": "affected",
"version": "\u003c c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:53:23.830Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/GreycLab/CImg/security/advisories/GHSA-g54r-qmgx-c6fv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/GreycLab/CImg/security/advisories/GHSA-g54r-qmgx-c6fv"
},
{
"name": "https://github.com/GreycLab/CImg/issues/477",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/GreycLab/CImg/issues/477"
},
{
"name": "https://github.com/GreycLab/CImg/commit/c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/GreycLab/CImg/commit/c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3"
},
{
"name": "https://github.com/GreycLab/CImg/releases/tag/v.3.7.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/GreycLab/CImg/releases/tag/v.3.7.5"
}
],
"source": {
"advisory": "GHSA-g54r-qmgx-c6fv",
"discovery": "UNKNOWN"
},
"title": "CImg Library: Uncontrolled memory allocation via nb_colors field in _load_bmp"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42146",
"datePublished": "2026-05-04T17:53:23.830Z",
"dateReserved": "2026-04-24T17:15:21.834Z",
"dateUpdated": "2026-05-06T13:44:14.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42154 (GCVE-0-2026-42154)
Vulnerability from cvelistv5 – Published: 2026-05-04 18:13 – Updated: 2026-05-04 20:19
VLAI
Title
Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Summary
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
Severity
7.5 (High)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/prometheus/prometheus/security… | x_refsource_CONFIRM |
| https://github.com/prometheus/prometheus/pull/18584 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/pull/18585 | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
| https://github.com/prometheus/prometheus/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| prometheus | prometheus |
Affected:
< 3.5.3
Affected: >= 3.6.0, < 3.11.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42154",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T20:18:48.754025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T20:19:13.876Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "prometheus",
"vendor": "prometheus",
"versions": [
{
"status": "affected",
"version": "\u003c 3.5.3"
},
{
"status": "affected",
"version": "\u003e= 3.6.0, \u003c 3.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T18:13:12.340Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18584",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18584"
},
{
"name": "https://github.com/prometheus/prometheus/pull/18585",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/pull/18585"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3"
},
{
"name": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3"
}
],
"source": {
"advisory": "GHSA-8rm2-7qqf-34qm",
"discovery": "UNKNOWN"
},
"title": "Prometheus: remote read endpoint allows denial of service via crafted snappy payload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42154",
"datePublished": "2026-05-04T18:13:12.340Z",
"dateReserved": "2026-04-24T17:15:21.835Z",
"dateUpdated": "2026-05-04T20:19:13.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42189 (GCVE-0-2026-42189)
Vulnerability from cvelistv5 – Published: 2026-05-08 19:49 – Updated: 2026-05-11 14:23
VLAI
Title
Russh: Pre-auth DoS via unbounded allocation in keyboard-interactive auth
Summary
Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1.
Severity
7.5 (High)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Eugeny/russh/security/advisori… | x_refsource_CONFIRM |
| https://github.com/Eugeny/russh/commit/6c3c80a9b6… | x_refsource_MISC |
| https://github.com/Eugeny/russh/releases/tag/v0.60.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42189",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T14:23:22.063007Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T14:23:49.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "russh",
"vendor": "Eugeny",
"versions": [
{
"status": "affected",
"version": "\u003c 0.60.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Russh is a Rust SSH client \u0026 server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server\u0027s keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T19:49:51.179Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg"
},
{
"name": "https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6227d60fa8310e57172a4d1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6227d60fa8310e57172a4d1"
},
{
"name": "https://github.com/Eugeny/russh/releases/tag/v0.60.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Eugeny/russh/releases/tag/v0.60.1"
}
],
"source": {
"advisory": "GHSA-f5v4-2wr6-hqmg",
"discovery": "UNKNOWN"
},
"title": "Russh: Pre-auth DoS via unbounded allocation in keyboard-interactive auth"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42189",
"datePublished": "2026-05-08T19:49:51.179Z",
"dateReserved": "2026-04-25T01:53:21.583Z",
"dateUpdated": "2026-05-11T14:23:49.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42241 (GCVE-0-2026-42241)
Vulnerability from cvelistv5 – Published: 2026-05-07 18:52 – Updated: 2026-05-08 21:30
VLAI
Title
ParquetSharp: Possible Stack Overflow When Reading a ParquetFile with Large Decimal Type Width
Summary
ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service. This affects applications using ParquetSharp to read untrusted Parquet files in a network service. This issue has been patched in version 23.0.0.1.
Severity
5.3 (Medium)
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/G-Research/ParquetSharp/securi… | x_refsource_CONFIRM |
| https://github.com/G-Research/ParquetSharp/releas… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| G-Research | ParquetSharp |
Affected:
>= 18.1.0, < 23.0.0.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T14:38:23.750570Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T21:30:27.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ParquetSharp",
"vendor": "G-Research",
"versions": [
{
"status": "affected",
"version": "\u003e= 18.1.0, \u003c 23.0.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service. This affects applications using ParquetSharp to read untrusted Parquet files in a network service. This issue has been patched in version 23.0.0.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T18:52:06.773Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/G-Research/ParquetSharp/security/advisories/GHSA-rrjr-v56m-ww88",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/G-Research/ParquetSharp/security/advisories/GHSA-rrjr-v56m-ww88"
},
{
"name": "https://github.com/G-Research/ParquetSharp/releases/tag/23.0.0.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/G-Research/ParquetSharp/releases/tag/23.0.0.1"
}
],
"source": {
"advisory": "GHSA-rrjr-v56m-ww88",
"discovery": "UNKNOWN"
},
"title": "ParquetSharp: Possible Stack Overflow When Reading a ParquetFile with Large Decimal Type Width"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42241",
"datePublished": "2026-05-07T18:52:06.773Z",
"dateReserved": "2026-04-25T05:37:12.118Z",
"dateUpdated": "2026-05-08T21:30:27.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42348 (GCVE-0-2026-42348)
Vulnerability from cvelistv5 – Published: 2026-05-12 18:01 – Updated: 2026-05-13 19:32
VLAI
Title
OpAMP client reads unbounded HTTP response bodies
Summary
OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured OpAMP server is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response. This vulnerability is fixed in 0.2.0-alpha.1.
Severity
5.9 (Medium)
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-d… | x_refsource_CONFIRM |
| https://github.com/open-telemetry/opentelemetry-d… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | opentelemetry-dotnet-contrib |
Affected:
< 0.2.0-alpha.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42348",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T19:25:08.216390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T19:32:28.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "opentelemetry-dotnet-contrib",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003c 0.2.0-alpha.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured OpAMP server is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response. This vulnerability is fixed in 0.2.0-alpha.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T18:01:41.812Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-w2jh-77fq-7gp8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-w2jh-77fq-7gp8"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4116",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4116"
}
],
"source": {
"advisory": "GHSA-w2jh-77fq-7gp8",
"discovery": "UNKNOWN"
},
"title": "OpAMP client reads unbounded HTTP response bodies"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42348",
"datePublished": "2026-05-12T18:01:41.812Z",
"dateReserved": "2026-04-26T13:26:14.515Z",
"dateUpdated": "2026-05-13T19:32:28.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phases: Implementation, Architecture and Design
Description:
- Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
Mitigation
Phase: Operation
Description:
- Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.
No CAPEC attack patterns related to this CWE.