Common Weakness Enumeration

CWE-789

Memory Allocation with Excessive Size Value

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

CVE-2026-40894 (GCVE-0-2026-40894)

Vulnerability from cvelistv5 – Published: 2026-04-23 18:03 – Updated: 2026-04-23 19:22
VLAI
Title
OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers
Summary
OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
Assigner
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40894",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-23T19:22:40.530419Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-23T19:22:47.268Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-dotnet",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.5.0-beta.2, \u003c 1.15.3"
            }
          ]
        },
        {
          "product": "OpenTelemetry.Api",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.5.0-beta.2, \u003c 1.15.3"
            }
          ]
        },
        {
          "product": "OpenTelemetry.Extensions.Propagators",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.3.1, \u003c 1.15.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-23T18:03:28.211Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061"
        }
      ],
      "source": {
        "advisory": "GHSA-g94r-2vxg-569j",
        "discovery": "UNKNOWN"
      },
      "title": "OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40894",
    "datePublished": "2026-04-23T18:03:28.211Z",
    "dateReserved": "2026-04-15T16:37:22.766Z",
    "dateUpdated": "2026-04-23T19:22:47.268Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41178 (GCVE-0-2026-41178)

Vulnerability from cvelistv5 – Published: 2026-06-04 14:38 – Updated: 2026-06-04 15:46
VLAI
Title
OpenTelemetry-Go's baggage parsing no longer caps raw header length
Summary
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41178",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-04T15:46:06.715583Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-04T15:46:11.923Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "go.opentelemetry.io/otel/baggage",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "= 1.41.0"
            },
            {
              "status": "affected",
              "version": "= 1.43.0"
            }
          ]
        },
        {
          "product": "go.opentelemetry.io/otel/propagation",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "= 1.41.0"
            },
            {
              "status": "affected",
              "version": "= 1.43.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T14:38:23.707Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/pull/7880",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/pull/7880"
        }
      ],
      "source": {
        "advisory": "GHSA-5wrp-cwcj-q835",
        "discovery": "UNKNOWN"
      },
      "title": "OpenTelemetry-Go\u0027s baggage parsing no longer caps raw header length"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41178",
    "datePublished": "2026-06-04T14:38:23.707Z",
    "dateReserved": "2026-04-17T16:34:45.526Z",
    "dateUpdated": "2026-06-04T15:46:11.923Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41312 (GCVE-0-2026-41312)

Vulnerability from cvelistv5 – Published: 2026-04-22 21:02 – Updated: 2026-04-23 13:45
VLAI
Title
pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM
Summary
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
Assigner
Impacted products
Vendor Product Version
py-pdf pypdf Affected: < 6.10.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41312",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-23T13:45:18.970091Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-23T13:45:30.296Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pypdf",
          "vendor": "py-pdf",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-22T21:04:22.958Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-7gw9-cf7v-778f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-7gw9-cf7v-778f"
        },
        {
          "name": "https://github.com/py-pdf/pypdf/pull/3734",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/py-pdf/pypdf/pull/3734"
        },
        {
          "name": "https://github.com/py-pdf/pypdf/commit/ac734dab4eef92bcce50d503949b4d9887d89f11",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/py-pdf/pypdf/commit/ac734dab4eef92bcce50d503949b4d9887d89f11"
        },
        {
          "name": "https://github.com/py-pdf/pypdf/releases/tag/6.10.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/py-pdf/pypdf/releases/tag/6.10.2"
        }
      ],
      "source": {
        "advisory": "GHSA-7gw9-cf7v-778f",
        "discovery": "UNKNOWN"
      },
      "title": "pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41312",
    "datePublished": "2026-04-22T21:02:53.156Z",
    "dateReserved": "2026-04-20T14:01:46.671Z",
    "dateUpdated": "2026-04-23T13:45:30.296Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41314 (GCVE-0-2026-41314)

Vulnerability from cvelistv5 – Published: 2026-04-22 21:08 – Updated: 2026-04-23 14:21
VLAI
Title
pypdf: Manipulated FlateDecode image dimensions can exhaust RAM
Summary
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
Assigner
Impacted products
Vendor Product Version
py-pdf pypdf Affected: < 6.10.2
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41314",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-23T14:21:23.056055Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-23T14:21:47.589Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pypdf",
          "vendor": "py-pdf",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values. This has been fixed in pypdf 6.10.2. As a workaround, one may apply the changes from the patch manually."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-22T21:08:14.700Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-x284-j5p8-9c5p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-x284-j5p8-9c5p"
        },
        {
          "name": "https://github.com/py-pdf/pypdf/pull/3734",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/py-pdf/pypdf/pull/3734"
        },
        {
          "name": "https://github.com/py-pdf/pypdf/commit/ac734dab4eef92bcce50d503949b4d9887d89f11",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/py-pdf/pypdf/commit/ac734dab4eef92bcce50d503949b4d9887d89f11"
        },
        {
          "name": "https://github.com/py-pdf/pypdf/releases/tag/6.10.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/py-pdf/pypdf/releases/tag/6.10.2"
        }
      ],
      "source": {
        "advisory": "GHSA-x284-j5p8-9c5p",
        "discovery": "UNKNOWN"
      },
      "title": "pypdf: Manipulated FlateDecode image dimensions can exhaust RAM"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41314",
    "datePublished": "2026-04-22T21:08:14.700Z",
    "dateReserved": "2026-04-20T14:01:46.671Z",
    "dateUpdated": "2026-04-23T14:21:47.589Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42146 (GCVE-0-2026-42146)

Vulnerability from cvelistv5 – Published: 2026-05-04 17:53 – Updated: 2026-05-06 13:44
VLAI
Title
CImg Library: Uncontrolled memory allocation via nb_colors field in _load_bmp
Summary
CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
Assigner
Impacted products
Vendor Product Version
GreycLab CImg Affected: < c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42146",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-06T13:43:28.189688Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-06T13:44:14.581Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/GreycLab/CImg/issues/477"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "CImg",
          "vendor": "GreycLab",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-04T17:53:23.830Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/GreycLab/CImg/security/advisories/GHSA-g54r-qmgx-c6fv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/GreycLab/CImg/security/advisories/GHSA-g54r-qmgx-c6fv"
        },
        {
          "name": "https://github.com/GreycLab/CImg/issues/477",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/GreycLab/CImg/issues/477"
        },
        {
          "name": "https://github.com/GreycLab/CImg/commit/c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/GreycLab/CImg/commit/c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3"
        },
        {
          "name": "https://github.com/GreycLab/CImg/releases/tag/v.3.7.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/GreycLab/CImg/releases/tag/v.3.7.5"
        }
      ],
      "source": {
        "advisory": "GHSA-g54r-qmgx-c6fv",
        "discovery": "UNKNOWN"
      },
      "title": "CImg Library: Uncontrolled memory allocation via nb_colors field in _load_bmp"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42146",
    "datePublished": "2026-05-04T17:53:23.830Z",
    "dateReserved": "2026-04-24T17:15:21.834Z",
    "dateUpdated": "2026-05-06T13:44:14.581Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42154 (GCVE-0-2026-42154)

Vulnerability from cvelistv5 – Published: 2026-05-04 18:13 – Updated: 2026-07-09 12:09
VLAI
Title
Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Summary
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
  • CWE-789 - Memory Allocation with Excessive Size Value
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
Impacted products
Vendor Product Version
prometheus prometheus Affected: < 3.5.3
Affected: >= 3.6.0, < 3.11.3
Create a notification for this product.
Red Hat RHEM 1.0 for RHEL 9     cpe:/a:redhat:edge_manager:1.0::el9
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
Create a notification for this product.
Red Hat Logging Subsystem for Red Hat OpenShift 6.4     cpe:/a:redhat:logging:6.4::el9
Create a notification for this product.
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2.13     cpe:/a:redhat:acm:2.13::el9
Create a notification for this product.
Red Hat Red Hat Edge Manager 1.0     cpe:/a:redhat:edge_manager:1.0::el9
Create a notification for this product.
Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
Create a notification for this product.
Red Hat File Integrity Operator     cpe:/a:redhat:openshift_file_integrity_operator:1
Create a notification for this product.
Red Hat Logging Subsystem for Red Hat OpenShift     cpe:/a:redhat:logging:6
Create a notification for this product.
Red Hat Multicluster Global Hub     cpe:/a:redhat:multicluster_globalhub
Create a notification for this product.
Red Hat Network Observability Operator     cpe:/a:redhat:network_observ_optr:1
Create a notification for this product.
Red Hat OpenShift Lightspeed     cpe:/a:redhat:openshift_lightspeed
Create a notification for this product.
Red Hat Red Hat Ceph Storage 5     cpe:/a:redhat:ceph_storage:5
Create a notification for this product.
Red Hat Red Hat Ceph Storage 6     cpe:/a:redhat:ceph_storage:6
Create a notification for this product.
Red Hat Red Hat Ceph Storage 7     cpe:/a:redhat:ceph_storage:7
Create a notification for this product.
Red Hat Red Hat Ceph Storage 8     cpe:/a:redhat:ceph_storage:8
Create a notification for this product.
Red Hat Red Hat Ceph Storage 9     cpe:/a:redhat:ceph_storage:9
Create a notification for this product.
Red Hat Red Hat Edge Manager 1     cpe:/a:redhat:edge_manager:1
Create a notification for this product.
Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
Create a notification for this product.
Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
Create a notification for this product.
Red Hat Red Hat OpenShift GitOps     cpe:/a:redhat:openshift_gitops:1
Create a notification for this product.
Red Hat Red Hat Quay 3     cpe:/a:redhat:quay:3
Create a notification for this product.
Red Hat Red Hat Trusted Artifact Signer     cpe:/a:redhat:trusted_artifact_signer:1
Create a notification for this product.
Red Hat OpenShift Service Mesh 2     cpe:/a:redhat:service_mesh:2
Create a notification for this product.
Red Hat OpenShift Service Mesh 3     cpe:/a:redhat:service_mesh:3
Create a notification for this product.
Red Hat Red Hat Advanced Cluster Management for Kubernetes 2     cpe:/a:redhat:acm:2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
Create a notification for this product.
Red Hat Red Hat OpenStack Platform 18.0     cpe:/a:redhat:openstack:18.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42154",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-04T20:18:48.754025Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-04T20:19:13.876Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:edge_manager:1.0::el9"
            ],
            "defaultStatus": "affected",
            "product": "RHEM 1.0 for RHEL 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:logging:6.4::el9"
            ],
            "defaultStatus": "affected",
            "product": "Logging Subsystem for Red Hat OpenShift 6.4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:acm:2.13::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Advanced Cluster Management for Kubernetes 2.13",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:edge_manager:1.0::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Edge Manager 1.0",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_file_integrity_operator:1"
            ],
            "defaultStatus": "affected",
            "product": "File Integrity Operator",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:logging:6"
            ],
            "defaultStatus": "affected",
            "product": "Logging Subsystem for Red Hat OpenShift",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:multicluster_globalhub"
            ],
            "defaultStatus": "affected",
            "product": "Multicluster Global Hub",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:network_observ_optr:1"
            ],
            "defaultStatus": "affected",
            "product": "Network Observability Operator",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_lightspeed"
            ],
            "defaultStatus": "affected",
            "product": "OpenShift Lightspeed",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ceph_storage:5"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ceph Storage 5",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ceph_storage:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ceph Storage 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ceph_storage:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ceph Storage 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ceph_storage:8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ceph Storage 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ceph_storage:9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Ceph Storage 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:edge_manager:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Edge Manager 1",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift:4"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Container Platform 4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_gitops:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift GitOps",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:quay:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Quay 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:trusted_artifact_signer:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Trusted Artifact Signer",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:2"
            ],
            "defaultStatus": "unaffected",
            "product": "OpenShift Service Mesh 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:3"
            ],
            "defaultStatus": "unaffected",
            "product": "OpenShift Service Mesh 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:acm:2"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Advanced Cluster Management for Kubernetes 2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openstack:18.0"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat OpenStack Platform 18.0",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-04T18:13:12.340Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Prometheus. An unauthenticated attacker can exploit the remote read endpoint (`/api/v1/read`) by sending a specially crafted, small snappy-compressed payload. This payload causes a disproportionately large memory allocation, leading to memory exhaustion and a Denial of Service (DoS) by crashing the Prometheus process."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T12:09:40.218Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-42154"
          },
          {
            "name": "RHBZ#2466505",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466505"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42154.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:36796"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:34357"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:34359"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:34364"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:30651"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:36651"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25039"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:29770"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25245"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:36796: RHEM 1.0 for RHEL 9"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:34357: Red Hat Enterprise Linux AppStream (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:34359: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:34364: Logging Subsystem for Red Hat OpenShift 6.4"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:30651: Red Hat Advanced Cluster Management for Kubernetes 2.13"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:36651: Red Hat Edge Manager 1.0"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:25039: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:29770: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:25245: Red Hat Hardened Images"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-04T19:02:19.626Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-04T18:13:12.340Z",
            "value": "Made public."
          }
        ],
        "title": "github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "prometheus",
          "vendor": "prometheus",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.5.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.6.0, \u003c 3.11.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-04T18:13:12.340Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm"
        },
        {
          "name": "https://github.com/prometheus/prometheus/pull/18584",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/prometheus/prometheus/pull/18584"
        },
        {
          "name": "https://github.com/prometheus/prometheus/pull/18585",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/prometheus/prometheus/pull/18585"
        },
        {
          "name": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/prometheus/prometheus/releases/tag/v3.11.3"
        },
        {
          "name": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/prometheus/prometheus/releases/tag/v3.5.3"
        }
      ],
      "source": {
        "advisory": "GHSA-8rm2-7qqf-34qm",
        "discovery": "UNKNOWN"
      },
      "title": "Prometheus: remote read endpoint allows denial of service via crafted snappy payload"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42154",
    "datePublished": "2026-05-04T18:13:12.340Z",
    "dateReserved": "2026-04-24T17:15:21.835Z",
    "dateUpdated": "2026-07-09T12:09:40.218Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42189 (GCVE-0-2026-42189)

Vulnerability from cvelistv5 – Published: 2026-05-08 19:49 – Updated: 2026-05-11 14:23
VLAI
Title
Russh: Pre-auth DoS via unbounded allocation in keyboard-interactive auth
Summary
Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-770 - Allocation of Resources Without Limits or Throttling
  • CWE-789 - Memory Allocation with Excessive Size Value
Assigner
Impacted products
Vendor Product Version
Eugeny russh Affected: < 0.60.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42189",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T14:23:22.063007Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T14:23:49.308Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "russh",
          "vendor": "Eugeny",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.60.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Russh is a Rust SSH client \u0026 server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server\u0027s keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T19:49:51.179Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg"
        },
        {
          "name": "https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6227d60fa8310e57172a4d1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6227d60fa8310e57172a4d1"
        },
        {
          "name": "https://github.com/Eugeny/russh/releases/tag/v0.60.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Eugeny/russh/releases/tag/v0.60.1"
        }
      ],
      "source": {
        "advisory": "GHSA-f5v4-2wr6-hqmg",
        "discovery": "UNKNOWN"
      },
      "title": "Russh: Pre-auth DoS via unbounded allocation in keyboard-interactive auth"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42189",
    "datePublished": "2026-05-08T19:49:51.179Z",
    "dateReserved": "2026-04-25T01:53:21.583Z",
    "dateUpdated": "2026-05-11T14:23:49.308Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42241 (GCVE-0-2026-42241)

Vulnerability from cvelistv5 – Published: 2026-05-07 18:52 – Updated: 2026-05-08 21:30
VLAI
Title
ParquetSharp: Possible Stack Overflow When Reading a ParquetFile with Large Decimal Type Width
Summary
ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service. This affects applications using ParquetSharp to read untrusted Parquet files in a network service. This issue has been patched in version 23.0.0.1.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
Impacted products
Vendor Product Version
G-Research ParquetSharp Affected: >= 18.1.0, < 23.0.0.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42241",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-08T14:38:23.750570Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-08T21:30:27.110Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ParquetSharp",
          "vendor": "G-Research",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 18.1.0, \u003c 23.0.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service. This affects applications using ParquetSharp to read untrusted Parquet files in a network service. This issue has been patched in version 23.0.0.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-07T18:52:06.773Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/G-Research/ParquetSharp/security/advisories/GHSA-rrjr-v56m-ww88",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/G-Research/ParquetSharp/security/advisories/GHSA-rrjr-v56m-ww88"
        },
        {
          "name": "https://github.com/G-Research/ParquetSharp/releases/tag/23.0.0.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/G-Research/ParquetSharp/releases/tag/23.0.0.1"
        }
      ],
      "source": {
        "advisory": "GHSA-rrjr-v56m-ww88",
        "discovery": "UNKNOWN"
      },
      "title": "ParquetSharp: Possible Stack Overflow When Reading a ParquetFile with Large Decimal Type Width"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42241",
    "datePublished": "2026-05-07T18:52:06.773Z",
    "dateReserved": "2026-04-25T05:37:12.118Z",
    "dateUpdated": "2026-05-08T21:30:27.110Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42348 (GCVE-0-2026-42348)

Vulnerability from cvelistv5 – Published: 2026-05-12 18:01 – Updated: 2026-05-13 19:32
VLAI
Title
OpAMP client reads unbounded HTTP response bodies
Summary
OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured OpAMP server is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response. This vulnerability is fixed in 0.2.0-alpha.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42348",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T19:25:08.216390Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T19:32:28.404Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-dotnet-contrib",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.2.0-alpha.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured OpAMP server is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response. This vulnerability is fixed in 0.2.0-alpha.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T18:01:41.812Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-w2jh-77fq-7gp8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-w2jh-77fq-7gp8"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4116",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4116"
        }
      ],
      "source": {
        "advisory": "GHSA-w2jh-77fq-7gp8",
        "discovery": "UNKNOWN"
      },
      "title": "OpAMP client reads unbounded HTTP response bodies"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42348",
    "datePublished": "2026-05-12T18:01:41.812Z",
    "dateReserved": "2026-04-26T13:26:14.515Z",
    "dateUpdated": "2026-05-13T19:32:28.404Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42440 (GCVE-0-2026-42440)

Vulnerability from cvelistv5 – Published: 2026-05-04 16:40 – Updated: 2026-07-03 12:05
VLAI
Title
Apache OpenNLP: OOM DoS via Unbounded Array Allocation in AbstractModelReader
Summary
OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader  Versions Affected:  before 1.9.5 before 2.5.9 before 3.0.0-M3  Description: The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed integer count field from a binary model stream and pass that value directly to an array allocation (new String[numOutcomes], new int[numOCTypes][], new String[NUM_PREDS]) without validating that the value is non-negative or within a reasonable bound. The count is therefore fully attacker-controlled when the model file originates from an untrusted source. A crafted .bin model file in which any of these count fields is set to Integer.MAX_VALUE (or any value large enough to exhaust the available heap) triggers an OutOfMemoryError at the array allocation itself, before the corresponding label or pattern data is consumed from the stream. The error occurs very early in deserialization: for a GIS model, getOutcomes() is reached after only the model-type string, the correction constant, and the correction parameter have been read; so the attacker pays no meaningful size cost to weaponize a payload, and a single small file can crash a JVM that loads it. Any code path that deserializes a .bin model is affected, including direct use of GenericModelReader and any higher-level component that delegates to it during model load. The practical impact is denial of service against processes that load model files from untrusted or semi-trusted origins.   Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces an upper bound on each of the three count fields, checked before array allocation; counts that are negative or exceed the bound cause an IllegalArgumentException to be thrown and the read to fail fast with no large allocation. The default bound is 10,000,000, which is well above the entry counts of legitimate OpenNLP models but far below any value that would threaten heap exhaustion. Deployments that legitimately need to load models with more entries than the default can raise the limit at JVM startup by setting the OPENNLP_MAX_ENTRIES system property to the desired positive integer (e.g. -DOPENNLP_MAX_ENTRIES=50000000); invalid or non-positive values fall back to the default. Users who cannot upgrade immediately should treat all .bin model files as untrusted input unless their provenance is verified, and should avoid loading models supplied by end users or fetched from third-party repositories without integrity checks.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
Impacted products
Vendor Product Version
Apache Software Foundation Apache OpenNLP Affected: 2.0 , < 2.5.9 (semver)
Affected: 3.0.0-M1 , < 3.0.0-M3 (semver)
Affected: 0 , < 1.9.5 (semver)
Create a notification for this product.
Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
Create a notification for this product.
Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
Create a notification for this product.
Red Hat Red Hat Data Grid 8     cpe:/a:redhat:jboss_data_grid:8
Create a notification for this product.
Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
Create a notification for this product.
Credits
Subramanian S
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-04T17:37:00.275Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/01/21"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-42440",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-05T16:00:26.146388Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-05T16:03:03.237Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:jboss_fuse:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Fuse 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jbosseapxp"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_data_grid:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Data Grid 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "unknown",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-04T16:40:32.503Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Apache OpenNLP. A remote attacker can exploit this vulnerability by providing a specially crafted binary model (.bin) file. This file contains an excessively large count field, which leads to an unbounded array allocation and triggers an OutOfMemoryError. Successful exploitation results in a Denial of Service (DoS) against any process that attempts to load the malicious model file."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-03T12:05:09.108Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-42440"
          },
          {
            "name": "RHBZ#2466494",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466494"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42440.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-04T19:01:44.897Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-04T16:40:32.503Z",
            "value": "Made public."
          }
        ],
        "title": "org.apache.opennlp/opennlp-tools: Apache OpenNLP: Denial of Service via unbounded array allocation in crafted model files",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.opennlp:opennlp-tools",
          "product": "Apache OpenNLP",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.5.9",
              "status": "affected",
              "version": "2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.0-M3",
              "status": "affected",
              "version": "3.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThan": "1.9.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Subramanian S"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cb\u003eOOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader\u0026nbsp;\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eVersions Affected:\u003c/b\u003e\u0026nbsp;\u003c/p\u003ebefore 1.9.5\u003cbr\u003e\u003cp\u003ebefore 2.5.9\u003c/p\u003e\u003cp\u003ebefore 3.0.0-M3\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003cb\u003eDescription:\u003c/b\u003e\u003c/p\u003e\n\u003cp\u003eThe \u003ccode\u003eAbstractModelReader\u003c/code\u003e methods \u003ccode\u003egetOutcomes()\u003c/code\u003e, \u003ccode\u003egetOutcomePatterns()\u003c/code\u003e, and \u003ccode\u003egetPredicates()\u003c/code\u003e each read a 32-bit signed integer count field from a binary model stream and pass that value directly to an array allocation (\u003ccode\u003enew String[numOutcomes]\u003c/code\u003e, \u003ccode\u003enew int[numOCTypes][]\u003c/code\u003e, \u003ccode\u003enew String[NUM_PREDS]\u003c/code\u003e) without validating that the value is non-negative or within a reasonable bound. The count is therefore fully attacker-controlled when the model file originates from an untrusted source.\u003c/p\u003e\n\u003cp\u003eA crafted \u003ccode\u003e.bin\u003c/code\u003e model file in which any of these count fields is set to \u003ccode\u003eInteger.MAX_VALUE\u003c/code\u003e (or any value large enough to exhaust the available heap) triggers an \u003ccode\u003eOutOfMemoryError\u003c/code\u003e at the array allocation itself, before the corresponding label or pattern data is consumed from the stream. The error occurs very early in deserialization: for a GIS model, \u003ccode\u003egetOutcomes()\u003c/code\u003e is reached after only the model-type string, the correction constant, and the correction parameter have been read; so the attacker pays no meaningful size cost to weaponize a payload, and a single small file can crash a JVM that loads it. Any code path that deserializes a \u003ccode\u003e.bin\u003c/code\u003e model is affected, including direct use of \u003ccode\u003eGenericModelReader\u003c/code\u003e and any higher-level component that delegates to it during model load.\u003c/p\u003e\n\u003cp\u003eThe practical impact is denial of service against processes that load model files from untrusted or semi-trusted origins.\u0026nbsp;\u0026nbsp;\u003c/p\u003e\n\u003cp\u003e\u003cb\u003eMitigation:\u003c/b\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e2.x users should upgrade to 2.5.9.\u003c/li\u003e\n\u003cli\u003e3.x users should upgrade to 3.0.0-M3.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cb\u003eNote:\u003c/b\u003e The fix introduces an upper bound on each of the three count fields, checked before array allocation; counts that are negative or exceed the bound cause an \u003ccode\u003eIllegalArgumentException\u003c/code\u003e to be thrown and the read to fail fast with no large allocation. The default bound is 10,000,000, which is well above the entry counts of legitimate OpenNLP models but far below any value that would threaten heap exhaustion. Deployments that legitimately need to load models with more entries than the default can raise the limit at JVM startup by setting the \u003ccode\u003eOPENNLP_MAX_ENTRIES\u003c/code\u003e system property to the desired positive integer (e.g. \u003ccode\u003e-DOPENNLP_MAX_ENTRIES=50000000\u003c/code\u003e); invalid or non-positive values fall back to the default.\u003c/p\u003e\n\u003cp\u003eUsers who cannot upgrade immediately should treat all \u003ccode\u003e.bin\u003c/code\u003e model files as untrusted input unless their provenance is verified, and should avoid loading models supplied by end users or fetched from third-party repositories without integrity checks.\u0026nbsp;\u003c/p\u003e"
            }
          ],
          "value": "OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader\u00a0\n\nVersions Affected:\u00a0\n\nbefore 1.9.5\nbefore 2.5.9\n\nbefore 3.0.0-M3\u00a0\n\nDescription:\n\n\nThe AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed integer count field from a binary model stream and pass that value directly to an array allocation (new String[numOutcomes], new int[numOCTypes][], new String[NUM_PREDS]) without validating that the value is non-negative or within a reasonable bound. The count is therefore fully attacker-controlled when the model file originates from an untrusted source.\n\n\nA crafted .bin model file in which any of these count fields is set to Integer.MAX_VALUE (or any value large enough to exhaust the available heap) triggers an OutOfMemoryError at the array allocation itself, before the corresponding label or pattern data is consumed from the stream. The error occurs very early in deserialization: for a GIS model, getOutcomes() is reached after only the model-type string, the correction constant, and the correction parameter have been read; so the attacker pays no meaningful size cost to weaponize a payload, and a single small file can crash a JVM that loads it. Any code path that deserializes a .bin model is affected, including direct use of GenericModelReader and any higher-level component that delegates to it during model load.\n\n\nThe practical impact is denial of service against processes that load model files from untrusted or semi-trusted origins.\u00a0\u00a0\n\n\nMitigation:\n\n\n\n  *  2.x users should upgrade to 2.5.9.\n\n  *  3.x users should upgrade to 3.0.0-M3.\n\n\n\n\nNote: The fix introduces an upper bound on each of the three count fields, checked before array allocation; counts that are negative or exceed the bound cause an IllegalArgumentException to be thrown and the read to fail fast with no large allocation. The default bound is 10,000,000, which is well above the entry counts of legitimate OpenNLP models but far below any value that would threaten heap exhaustion. Deployments that legitimately need to load models with more entries than the default can raise the limit at JVM startup by setting the OPENNLP_MAX_ENTRIES system property to the desired positive integer (e.g. -DOPENNLP_MAX_ENTRIES=50000000); invalid or non-positive values fall back to the default.\n\n\nUsers who cannot upgrade immediately should treat all .bin model files as untrusted input unless their provenance is verified, and should avoid loading models supplied by end users or fetched from third-party repositories without integrity checks."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T07:17:38.376Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/s8xlkx1gqbxfsq48py5h6jphjvgqp1jo"
        }
      ],
      "source": {
        "defect": [
          "OPENNLP-1821"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Apache OpenNLP: OOM DoS via Unbounded Array Allocation in AbstractModelReader",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-42440",
    "datePublished": "2026-05-04T16:40:32.503Z",
    "dateReserved": "2026-04-27T12:43:14.347Z",
    "dateUpdated": "2026-07-03T12:05:09.108Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Phases: Implementation, Architecture and Design

Description:

  • Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
Mitigation

Phase: Operation

Description:

  • Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page