osec-2026-09
Vulnerability from osv_ocaml
Published
Modified
2026-05-28 08:59
Summary
Albatross-console memory exhaustion
Details

Albatross-console doesn't properly terminate when looping over the ringbuffer. This leads to denial of service and memory exhaustion.

Scenario

A user that has access to albatross-console either via the unix domain socket (requires root:albatross by default) or via albatross-tls-endpoint (requires a valid certificate and a running unikernel) can send a specially crafted query for console logs that will make albatross-console hang and eventually exhaust memory.

Detailed description

Albatross-console receives console messages from running unikernels via named pipes. These console messages are stored in memory in a ring buffer with a non-configurable default size of 1024 lines. A client query the console output of a unikernel with either a count or a timestamp for limiting the output. A bug in the ring buffer logic exists so that when the ring buffer is full (has 1024 lines) the termination logic doesn't work properly.

When using a timestamp to limit then a timestamp earlier than all recorded console output in the ring buffer bypasses the termination logic, and albatross-console will repeatedly loop over the ring buffer accumulating the entries in a list indefinitely eventually exhausting memory.

If using a count the termination logic doesn't take into consideration how many entries there actually are if the ring buffer is full. Using a very large or negative count will make albatross-console loop over the ring buffer accumulating entries in a list until the length of the list equals the requested count (an OCaml int). As this could be max_int or -1 this would exhaust memory, too.

Scope

The bug was introduced in 8a113e5ce07f062c701abb1c09ba3ce3147db867 and affected versions are v1.0.0 through v2.7.1. The vulnerability is only exploitable to users who can send console subscription commands to unikernels that produce sufficient log output to fill the ring buffer (1024 lines). It is not exploitable by unauthorized clients.

Severity
4.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
Credits
Reynir Björnsson
Reynir Björnsson
Edwin Török
References
To clipboard 

{
  "affected": [
    {
      "ecosystem_specific": {
        "opam_constraint": "albatross {\u003e= \"1.0.0\" \u0026 \u003c \"2.7.2\"}"
      },
      "package": {
        "ecosystem": "opam",
        "name": "albatross",
        "purl": "pkg:opam/albatross"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "2.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "e07de2a904133e633773302d335ceb1f2c9945da"
            }
          ],
          "repo": "https://git.robur.coop/robur/albatross.git",
          "type": "GIT"
        }
      ],
      "versions": [
        "1.0.1",
        "1.1.0",
        "1.1.1",
        "1.2.0",
        "1.3.0",
        "1.3.1",
        "1.4.0",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.5.0",
        "1.5.1",
        "1.5.2",
        "1.5.3",
        "1.5.4",
        "1.5.5",
        "1.5.6",
        "2.0.0",
        "2.1.0",
        "2.2.0",
        "2.3.0",
        "2.4.0",
        "2.4.1",
        "2.5.0",
        "2.5.1",
        "2.6.0",
        "2.6.1",
        "2.6.2",
        "2.7.0",
        "2.7.1"
      ]
    }
  ],
  "credits": [
    {
      "name": "Reynir Bj\u00f6rnsson",
      "type": "REPORTER"
    },
    {
      "name": "Reynir Bj\u00f6rnsson",
      "type": "REMEDIATION_DEVELOPER"
    },
    {
      "name": "Edwin T\u00f6r\u00f6k",
      "type": "COORDINATOR"
    }
  ],
  "database_specific": {
    "cwe": [
      "CWE-770",
      "CWE-405"
    ],
    "human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2026/OSEC-2026-09.md",
    "osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2026/OSEC-2026-09.json"
  },
  "details": "Albatross-console doesn\u0027t properly terminate when looping over the ringbuffer. This leads to denial of service and memory exhaustion.\n\n## Scenario\n\nA user that has access to albatross-console either via the unix domain socket (requires root:albatross by default) or via albatross-tls-endpoint (requires a valid certificate and a running unikernel) can send a specially crafted query for console logs that will make albatross-console hang and eventually exhaust memory.\n\n## Detailed description\n\nAlbatross-console receives console messages from running unikernels via named pipes. These console messages are stored in memory in a ring buffer with a non-configurable default size of 1024 lines. A client query the console output of a unikernel with either a count or a timestamp for limiting the output. A bug in the ring buffer logic exists so that when the ring buffer is full (has 1024 lines) the termination logic doesn\u0027t work properly.\n\nWhen using a timestamp to limit then a timestamp earlier than all recorded console output in the ring buffer bypasses the termination logic, and albatross-console will repeatedly loop over the ring buffer accumulating the entries in a list indefinitely eventually exhausting memory.\n\nIf using a count the termination logic doesn\u0027t take into consideration how many entries there actually are if the ring buffer is full. Using a very large or negative count will make albatross-console loop over the ring buffer accumulating entries in a list until the length of the list equals the requested count (an OCaml int). As this could be max_int or -1 this would exhaust memory, too.\n\n## Scope\n\nThe bug was introduced in 8a113e5ce07f062c701abb1c09ba3ce3147db867 and affected versions are v1.0.0 through v2.7.1. The vulnerability is only exploitable to users who can send console subscription commands to unikernels that produce sufficient log output to fill the ring buffer (1024 lines). It is not exploitable by unauthorized clients.",
  "id": "OSEC-2026-09",
  "modified": "2026-05-28T08:59:44Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/robur-coop/albatross/pull/273"
    }
  ],
  "schema_version": "1.7.4",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Albatross-console memory exhaustion"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.