Common Weakness Enumeration

CWE-789

Memory Allocation with Excessive Size Value

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

CVE-2026-42582 (GCVE-0-2026-42582)

Vulnerability from cvelistv5 – Published: 2026-05-13 18:06 – Updated: 2026-05-13 19:35
VLAI
Title
Netty: HTTP/3 QPACK literal unbounded allocation
Summary
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-770 - Allocation of Resources Without Limits or Throttling
  • CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
Impacted products
Vendor Product Version
netty netty Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
Create a notification for this product.
io.netty netty-codec-http3 Affected: >= 4.2.0.Alpha1, < 4.2.13.Final
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42582",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T19:35:22.097676Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T19:35:35.549Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netty",
          "vendor": "netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
            }
          ]
        },
        {
          "product": "netty-codec-http3",
          "vendor": "io.netty",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0.Alpha1, \u003c 4.2.13.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length \u003c= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T18:07:22.589Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/netty/netty/security/advisories/GHSA-2c5c-chwr-9hqw"
        }
      ],
      "source": {
        "advisory": "GHSA-2c5c-chwr-9hqw",
        "discovery": "UNKNOWN"
      },
      "title": "Netty: HTTP/3 QPACK literal unbounded allocation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42582",
    "datePublished": "2026-05-13T18:06:55.559Z",
    "dateReserved": "2026-04-28T17:26:12.085Z",
    "dateUpdated": "2026-05-13T19:35:35.549Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42946 (GCVE-0-2026-42946)

Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:06
VLAI
Title
NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability
Summary
A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
  • CWE-823 - Use of Out-of-range Pointer Offset
Assigner
f5
References
URL Tags
https://my.f5.com/manage/s/article/K000161027 vendor-advisorypatch
Impacted products
Vendor Product Version
F5 NGINX Plus Unaffected: R37 , < * (custom)
Affected: R36 , < R36 P4 (custom)
Affected: R32 , < R32 P6 (custom)
Create a notification for this product.
F5 NGINX Open Source Unaffected: 1.31.0 , < * (semver)
Affected: 0.8.42 , < 1.30.1 (semver)
Create a notification for this product.
Date Public
2026-05-13 14:00
Credits
F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42946",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:55:04.864917Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T16:06:56.898Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "ngx_http_scgi_module and ngx_http_uwsgi_module"
          ],
          "product": "NGINX Plus",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "R37",
              "versionType": "custom"
            },
            {
              "lessThan": "R36 P4",
              "status": "affected",
              "version": "R36",
              "versionType": "custom"
            },
            {
              "lessThan": "R32 P6",
              "status": "affected",
              "version": "R32",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "ngx_http_scgi_module and ngx_http_uwsgi_module"
          ],
          "product": "NGINX Open Source",
          "vendor": "F5",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.31.0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.30.1",
              "status": "affected",
              "version": "0.8.42",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "F5 acknowledges Zhenpeng (Leo) Lin of depthfirst for bringing this issue to our attention and following the highest standards of coordinated disclosure."
        }
      ],
      "datePublic": "2026-05-13T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability exists in the \u003c/span\u003e\u003cstrong\u003engx_http_scgi_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;and \u003c/span\u003e\u003cstrong\u003engx_http_uwsgi_module\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;modules that may result in excessive memory allocation or an over-read of data. When \u003c/span\u003e\u003cstrong\u003escgi_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;or \u003c/span\u003e\u003cstrong\u003euwsgi_pass\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.\u003c/span\u003e\u0026nbsp; Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
            }
          ],
          "value": "A vulnerability exists in the ngx_http_scgi_module\u00a0and ngx_http_uwsgi_module\u00a0modules that may result in excessive memory allocation or an over-read of data. When scgi_pass\u00a0or uwsgi_pass\u00a0is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.\u00a0 Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-823",
              "description": "CWE-823: Use of Out-of-range Pointer Offset",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T14:12:44.697Z",
        "orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
        "shortName": "f5"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://my.f5.com/manage/s/article/K000161027"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability",
      "x_generator": {
        "engine": "F5 SIRTBot v1.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
    "assignerShortName": "f5",
    "cveId": "CVE-2026-42946",
    "datePublished": "2026-05-13T14:12:44.697Z",
    "dateReserved": "2026-04-30T23:04:27.965Z",
    "dateUpdated": "2026-05-13T16:06:56.898Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43868 (GCVE-0-2026-43868)

Vulnerability from cvelistv5 – Published: 2026-05-05 07:49 – Updated: 2026-07-06 12:04
VLAI
Title
Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern
Summary
Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
  • CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input
Assigner
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-43868",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-05T19:14:59.873382Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-789",
                "description": "CWE-789 Memory Allocation with Excessive Size Value",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-05T19:21:34.278Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:apache_camel_quarkus:3.33"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ai_inference_server:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat AI Inference Server",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:camel_quarkus:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_fuse:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Fuse 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_data_grid:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Data Grid 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jbosseapxp"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-05T07:49:47.754Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Apache Thrift. This vulnerability involves a Memory Allocation with Excessive Size Value, which could allow an attacker to trigger resource exhaustion. By providing an overly large size value during memory allocation, an attacker can cause the affected system to become unresponsive, leading to a Denial of Service (DoS)."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-1285",
                "description": "Improper Validation of Specified Index, Position, or Offset in Input",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-06T12:04:52.009Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-43868"
          },
          {
            "name": "RHBZ#2466670",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466670"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43868.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26586"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:26586: Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-05T09:00:59.745Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-05T07:49:47.754Z",
            "value": "Made public."
          }
        ],
        "title": "Apache Thrift: Apache Thrift: Denial of Service via excessive memory allocation",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Thrift",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "0.23.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMemory Allocation with Excessive Size Value vulnerability in Apache Thrift.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Thrift: before 0.23.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.23.0, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Memory Allocation with Excessive Size Value vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789 Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-05T07:49:47.754Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/zj76dtwnbbs1m7z3focf4wd51pqpsmn9"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-43868",
    "datePublished": "2026-05-05T07:49:47.754Z",
    "dateReserved": "2026-05-04T14:10:22.281Z",
    "dateUpdated": "2026-07-06T12:04:52.009Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44375 (GCVE-0-2026-44375)

Vulnerability from cvelistv5 – Published: 2026-05-14 14:32 – Updated: 2026-05-14 16:02
VLAI
Title
Nerdbank.MessagePack: Attacker-controlled stackalloc in DateTime decoding causes process-terminating StackOverflowException
Summary
Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a StackOverflowException, which is not catchable by user code and terminates the process. This vulnerability is fixed in 1.1.62.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44375",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T16:01:58.538455Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T16:02:12.327Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Nerdbank.MessagePack",
          "vendor": "AArnott",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.1.62"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a StackOverflowException, which is not catchable by user code and terminates the process. This vulnerability is fixed in 1.1.62."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T14:32:09.506Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/AArnott/Nerdbank.MessagePack/security/advisories/GHSA-2cwq-pwfr-wcw3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/AArnott/Nerdbank.MessagePack/security/advisories/GHSA-2cwq-pwfr-wcw3"
        },
        {
          "name": "https://github.com/AArnott/Nerdbank.MessagePack/pull/941",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/AArnott/Nerdbank.MessagePack/pull/941"
        },
        {
          "name": "https://github.com/AArnott/Nerdbank.MessagePack/commit/7d1eb319cfabe7280e70699946c9a48579fa2f30",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/AArnott/Nerdbank.MessagePack/commit/7d1eb319cfabe7280e70699946c9a48579fa2f30"
        },
        {
          "name": "https://github.com/AArnott/Nerdbank.MessagePack/releases/tag/v1.1.62",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/AArnott/Nerdbank.MessagePack/releases/tag/v1.1.62"
        }
      ],
      "source": {
        "advisory": "GHSA-2cwq-pwfr-wcw3",
        "discovery": "UNKNOWN"
      },
      "title": "Nerdbank.MessagePack: Attacker-controlled stackalloc in DateTime decoding causes process-terminating StackOverflowException"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44375",
    "datePublished": "2026-05-14T14:32:09.506Z",
    "dateReserved": "2026-05-05T20:15:20.631Z",
    "dateUpdated": "2026-05-14T16:02:12.327Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-44967 (GCVE-0-2026-44967)

Vulnerability from cvelistv5 – Published: 2026-06-12 14:52 – Updated: 2026-06-12 16:10
VLAI
Title
opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response
Summary
OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44967",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-12T16:10:44.803865Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-12T16:10:48.362Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-cpp",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.27.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-12T14:52:00.124Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-cpp/security/advisories/GHSA-5qhm-4rfp-qqvj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-cpp/security/advisories/GHSA-5qhm-4rfp-qqvj"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-cpp/issues/3958",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-cpp/issues/3958"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-cpp/pull/4078",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-cpp/pull/4078"
        }
      ],
      "source": {
        "advisory": "GHSA-5qhm-4rfp-qqvj",
        "discovery": "UNKNOWN"
      },
      "title": "opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44967",
    "datePublished": "2026-06-12T14:52:00.124Z",
    "dateReserved": "2026-05-08T16:23:33.263Z",
    "dateUpdated": "2026-06-12T16:10:48.362Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47313 (GCVE-0-2026-47313)

Vulnerability from cvelistv5 – Published: 2026-05-19 06:28 – Updated: 2026-05-19 13:18
VLAI
Summary
Memory allocation with excessive size value vulnerability in Samsung Open Source Escargot allows Excessive Allocation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory allocation with excessive size value
References
Impacted products
Vendor Product Version
Samsung Open Source Escargot Affected: 590345cc6258317c5da850d846ce6baaf2afc2d3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47313",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-19T13:17:37.368003Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T13:18:32.881Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Escargot",
          "vendor": "Samsung Open Source",
          "versions": [
            {
              "status": "affected",
              "version": "590345cc6258317c5da850d846ce6baaf2afc2d3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Memory allocation with excessive size value vulnerability in Samsung Open Source Escargot allows Excessive Allocation.\u003cp\u003eThis issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.\u003c/p\u003e"
            }
          ],
          "value": "Memory allocation with excessive size value vulnerability in Samsung Open Source Escargot allows Excessive Allocation.\n\nThis issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789 Memory allocation with excessive size value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-19T06:28:34.474Z",
        "orgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe",
        "shortName": "samsung.tv_appliance"
      },
      "references": [
        {
          "url": "https://github.com/Samsung/escargot/pull/1565"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe",
    "assignerShortName": "samsung.tv_appliance",
    "cveId": "CVE-2026-47313",
    "datePublished": "2026-05-19T06:28:34.474Z",
    "dateReserved": "2026-05-19T02:40:40.159Z",
    "dateUpdated": "2026-05-19T13:18:32.881Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47319 (GCVE-0-2026-47319)

Vulnerability from cvelistv5 – Published: 2026-06-04 09:39 – Updated: 2026-06-08 05:31
VLAI
Summary
Memory allocation with excessive size value vulnerability in Samsung Open Source rlottie allows Excessive Allocation. This issue affects rlottie: before 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory allocation with excessive size value
References
Impacted products
Vendor Product Version
Samsung Open Source rlottie Unaffected: 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd
Create a notification for this product.
Credits
Feng Ning, Innora Security Research (feng@innora.ai)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47319",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-04T12:18:40.838007Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-04T12:19:08.616Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "rlottie",
          "vendor": "Samsung Open Source",
          "versions": [
            {
              "status": "unaffected",
              "version": "0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Feng Ning, Innora Security Research (feng@innora.ai)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Memory allocation with excessive size value vulnerability in Samsung Open Source rlottie allows Excessive Allocation.\u003cp\u003eThis issue affects rlottie: before 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd.\u003c/p\u003e"
            }
          ],
          "value": "Memory allocation with excessive size value vulnerability in Samsung Open Source rlottie allows Excessive Allocation.\n\nThis issue affects rlottie: before 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789 Memory allocation with excessive size value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-08T05:31:02.960Z",
        "orgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe",
        "shortName": "samsung.tv_appliance"
      },
      "references": [
        {
          "url": "https://github.com/Samsung/rlottie/pull/588"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe",
    "assignerShortName": "samsung.tv_appliance",
    "cveId": "CVE-2026-47319",
    "datePublished": "2026-06-04T09:39:55.058Z",
    "dateReserved": "2026-05-19T05:50:23.979Z",
    "dateUpdated": "2026-06-08T05:31:02.960Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47734 (GCVE-0-2026-47734)

Vulnerability from cvelistv5 – Published: 2026-06-10 22:11 – Updated: 2026-06-11 16:14
VLAI
Title
Dulwich has unbounded memory allocation in receive-pack from crafted thin packs
Summary
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack (~174 bytes) whose delta header declares a huge dest_size. When dulwich ingested it via add_thin_pack / apply_delta, it would allocate hundreds of MB of memory based on that attacker-controlled size, with no relationship to the actual bytes received. Operators running a Dulwich-based Git server that exposes git-receive-pack (i.e. accepts pushes) - for example via dulwich.server functionality, the HTTP smart server, or anything built on ReceivePackHandler - are impacted. The issue is patched in 1.2.5. add_thin_pack now accepts a max_input_size keyword (bytes; 0/None = unlimited, matching git's semantics), and ReceivePackHandler reads receive.maxInputSize from the repository config and passes it through. Wire reads are counted and a PackInputTooLarge exception is raised once the cap is exceeded - equivalent to git index-pack --max-input-size. Users should upgrade to Dulwich 1.2.5 or later and set receive.maxInputSize in their server's repository config to a sane bound for their environment. On unpatched versions, receive.maxInputSize has no effect, so it cannot be used as a workaround. Until upgrading, operators should restrict dulwich-receive-pack (push) access to trusted, authenticated clients only, or disable it entirely on servers that only need to serve fetches and/or run the server under an OS-level memory limit (e.g. ulimit, cgroups/MemoryMax, or a container memory limit) so a malicious push is killed rather than taking down the host.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
  • CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
Impacted products
Vendor Product Version
jelmer dulwich Affected: >= 0.1.0, < 1.2.5
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47734",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-11T14:08:10.796596Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T16:14:16.785Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dulwich",
          "vendor": "jelmer",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.1.0, \u003c 1.2.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack (~174 bytes)  whose delta header declares a huge   dest_size. When dulwich ingested it via  add_thin_pack / apply_delta, it would  allocate hundreds of MB of memory based on that attacker-controlled size, with no relationship to the actual bytes received. Operators running a Dulwich-based Git server that exposes git-receive-pack (i.e. accepts pushes) - for example via dulwich.server functionality, the HTTP  smart server, or anything built on ReceivePackHandler - are impacted. The issue is patched in 1.2.5. add_thin_pack now accepts a max_input_size keyword (bytes; 0/None = unlimited, matching git\u0027s semantics), and ReceivePackHandler reads receive.maxInputSize from the repository config and passes it through. Wire reads are counted and a PackInputTooLarge exception is raised once the cap is exceeded - equivalent to git index-pack --max-input-size. Users should upgrade to Dulwich 1.2.5 or later and set receive.maxInputSize in their server\u0027s repository config to a sane bound for their environment. On unpatched versions, receive.maxInputSize has no effect, so it cannot be used as a workaround. Until upgrading, operators should restrict dulwich-receive-pack (push) access to trusted, authenticated clients only, or disable it entirely on servers that only need to serve fetches and/or run the server under an OS-level memory limit (e.g. ulimit, cgroups/MemoryMax, or a container memory limit) so a malicious push is killed rather than taking down the host."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T22:11:02.704Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jelmer/dulwich/security/advisories/GHSA-xrvj-v92f-53gj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jelmer/dulwich/security/advisories/GHSA-xrvj-v92f-53gj"
        },
        {
          "name": "https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5"
        }
      ],
      "source": {
        "advisory": "GHSA-xrvj-v92f-53gj",
        "discovery": "UNKNOWN"
      },
      "title": "Dulwich has unbounded memory allocation in receive-pack from crafted thin packs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47734",
    "datePublished": "2026-06-10T22:11:02.704Z",
    "dateReserved": "2026-05-19T22:16:39.503Z",
    "dateUpdated": "2026-06-11T16:14:16.785Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48502 (GCVE-0-2026-48502)

Vulnerability from cvelistv5 – Published: 2026-06-22 21:18 – Updated: 2026-06-23 15:05
VLAI
Title
MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows
Summary
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-125 - Out-of-bounds Read
  • CWE-190 - Integer Overflow or Wraparound
  • CWE-407 - Inefficient Algorithmic Complexity
  • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
  • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
  • CWE-502 - Deserialization of Untrusted Data
  • CWE-674 - Uncontrolled Recursion
  • CWE-789 - Memory Allocation with Excessive Size Value
  • CWE-1188 - Insecure Default Initialization of Resource
Assigner
References
Impacted products
Vendor Product Version
MessagePack-CSharp MessagePack-CSharp Affected: >= 3.1.7, < 3.1.7
Affected: < 2.5.301
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48502",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T14:58:22.893152Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T15:05:33.595Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MessagePack-CSharp",
          "vendor": "MessagePack-CSharp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.1.7, \u003c 3.1.7"
            },
            {
              "status": "affected",
              "version": "\u003c 2.5.301"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-409",
              "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789: Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1188",
              "description": "CWE-1188: Insecure Default Initialization of Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-22T21:18:29.190Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-382j-8mxh-c7x2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-382j-8mxh-c7x2"
        }
      ],
      "source": {
        "advisory": "GHSA-382j-8mxh-c7x2",
        "discovery": "UNKNOWN"
      },
      "title": "MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-48502",
    "datePublished": "2026-06-22T21:18:29.190Z",
    "dateReserved": "2026-05-21T15:33:08.293Z",
    "dateUpdated": "2026-06-23T15:05:33.595Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-49975 (GCVE-0-2026-49975)

Vulnerability from cvelistv5 – Published: 2026-06-08 15:26 – Updated: 2026-07-09 12:09
VLAI
Title
Apache HTTP Server: mod_http2 denial of service
Summary
Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-789 - Memory Allocation with Excessive Size Value
  • CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
Assigner
Impacted products
Vendor Product Version
Apache Software Foundation Apache HTTP Server Affected: 2.4.17 , ≤ 2.4.67 (semver)
Create a notification for this product.
Red Hat Red Hat JBoss Core Services on RHEL 7 Server     cpe:/a:redhat:jboss_core_services:1::el7
Create a notification for this product.
Red Hat Red Hat JBoss Core Services on RHEL 8     cpe:/a:redhat:jboss_core_services:1::el8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.4)     cpe:/a:redhat:rhel_aus:8.4::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)     cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.6)     cpe:/a:redhat:rhel_aus:8.6::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)     cpe:/a:redhat:rhel_eus_long_life:8.6::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.8)     cpe:/a:redhat:rhel_e4s:8.8::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.8)     cpe:/a:redhat:rhel_tus:8.8::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
Create a notification for this product.
Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
Create a notification for this product.
Red Hat Red Hat JBoss Core Services 2.4.62.SP4     cpe:/a:redhat:jboss_core_services:1
Create a notification for this product.
Red Hat Red Hat OpenShift Service Mesh 2.6     cpe:/a:redhat:service_mesh:2.6::el9
Create a notification for this product.
Red Hat Red Hat JBoss Core Services     cpe:/a:redhat:jboss_core_services:1
Create a notification for this product.
Red Hat Red Hat JBoss Web Server 5     cpe:/a:redhat:jboss_enterprise_web_server:5
Create a notification for this product.
Credits
Quang Luong of Calif.IO in collaboration with OpenAI Codex
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-06-08T22:32:35.729Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/03/3"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00009.html"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/06/08/16"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-49975",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-18T10:27:36.270403Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-18T10:29:04.207Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/EQSTLab/CVE-2026-49975"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:jboss_core_services:1::el7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat JBoss Core Services on RHEL 7 Server",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_core_services:1::el8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat JBoss Core Services on RHEL 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_aus:8.4::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_aus:8.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus_long_life:8.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:8.8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_tus:8.8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_core_services:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat JBoss Core Services 2.4.62.SP4",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:service_mesh:2.6::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift Service Mesh 2.6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_core_services:1"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat JBoss Core Services",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:jboss_enterprise_web_server:5"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat JBoss Web Server 5",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-03T00:00:00.000Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in HTTP/2, affecting various web servers. A remote attacker can exploit this vulnerability by combining an HPACK compression bomb with a zero-byte flow-control window. This technique allows a small amount of data to expand into large memory allocations on the server, which are then held, leading to a denial of service (DoS) by rendering the server inaccessible."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-409",
                "description": "Improper Handling of Highly Compressed Data (Data Amplification)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T12:09:47.463Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-49975"
          },
          {
            "name": "RHBZ#2485371",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2485371"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49975.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27200"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25225"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25090"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:36846"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:36831"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:36373"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25057"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25042"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27201"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27114"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:27200: Red Hat JBoss Core Services on RHEL 7 Server, Red Hat JBoss Core Services on RHEL 8"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:25225: Red Hat Enterprise Linux AppStream (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:25090: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:36846: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:36831: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:36373: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:25057: Red Hat Enterprise Linux AppStream (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:25042: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27201: Red Hat JBoss Core Services 2.4.62.SP4"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27114: Red Hat OpenShift Service Mesh 2.6"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-05T06:04:44.009Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-03T00:00:00.000Z",
            "value": "Made public."
          }
        ],
        "title": "httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack",
        "workarounds": [
          {
            "lang": "en",
            "value": "See the security bulletin for a detailed mitigation procedure."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache HTTP Server",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.4.67",
              "status": "affected",
              "version": "2.4.17",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Quang Luong of Calif.IO in collaboration with OpenAI Codex"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMemory Allocation with Excessive Size Value vulnerability in Apache HTTP Server\u0027s mod_http leads to denial of service via malicious HTTP requests.\u003c/p\u003e\u003cp\u003eThis issue affects Apache HTTP Server: from 2.4.17 through 2.4.67.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server\u0027s mod_http leads to denial of service via malicious HTTP requests.\n\nThis issue affects Apache HTTP Server: from 2.4.17 through 2.4.67."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-789",
              "description": "CWE-789 Memory Allocation with Excessive Size Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-08T15:26:04.674Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-26T12:00:00.000Z",
          "value": "reported"
        },
        {
          "lang": "en",
          "time": "2026-05-27T12:00:00.000Z",
          "value": "fixed upstream in mod_h2 https://github.com/icing/mod_h2/commit/35c6e405390ed361189a82acd96675401ea5947c"
        },
        {
          "lang": "en",
          "time": "2026-06-02T12:00:00.000Z",
          "value": "fixed in 2.4.x by r1934882"
        },
        {
          "lang": "eng",
          "time": "2026-06-08T12:00:00.000Z",
          "value": "2.4.68 released"
        }
      ],
      "title": "Apache HTTP Server: mod_http2 denial of service",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-49975",
    "datePublished": "2026-06-08T15:26:04.674Z",
    "dateReserved": "2026-06-02T17:20:37.983Z",
    "dateUpdated": "2026-07-09T12:09:47.463Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Phases: Implementation, Architecture and Design

Description:

  • Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
Mitigation

Phase: Operation

Description:

  • Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page