Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated, pre-session, network-reachable trigger with low complexity gives AV:N/AC:L/PR:N/UI:N; impact is availability-only memory exhaustion, so C:N/I:N/A:H.
Primary rating from Vendor (ENISA).
CVSS VectorVendor: ENISA
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length or array size. An attacker can declare an arbitrarily large string (up to ~3.9 GB) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configuration. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
AnalysisAI
Remote memory exhaustion in open62541's FindServers Discovery Service lets an unauthenticated attacker crash or degrade OPC UA servers built on versions 1.4.0-1.4.16, 1.5.0-1.5.4, and master. Because the serverUris field of a FindServersRequest is never validated for length or array size, an attacker can declare a string of up to ~3.9 GB and stream it across chunks while withholding the final chunk, forcing the server to buffer everything in RAM until the SecureChannel times out. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the target expose the OPC UA Discovery Service - specifically the FindServers endpoint - to the attacker over the network; it occurs pre-session and before any security-policy/encryption negotiation, so no credentials, certificates, or user interaction are needed (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5) is internally consistent with the description: network-reachable, low complexity, no privileges, no user interaction, and pure availability impact with no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to an OPC UA server opens a SecureChannel and sends a FindServersRequest whose serverUris field declares a multi-gigabyte string, then streams intermediate chunks while deliberately never sending the final chunk. The server buffers every chunk in RAM until the SecureChannel times out, and by opening several such connections the attacker drives the process into memory exhaustion and denial of service. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the fix from https://github.com/open62541/open62541/pull/8142 (change https://github.com/open62541/open62541/pull/8142/changes/d253818d6c5e870e1db0e360b18138c8bdc809ae) by upgrading to a build that includes it once a tagged 1.4.x/1.5.x release ships, or by cherry-picking the patch into your current build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running open62541 versions 1.4.0-1.4.16, 1.5.0-1.5.4, or master branch; assess network exposure of affected OPC UA endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Uncontrolled memory consumption in open62541's OPC UA Discovery Service allows a remote, unauthenticated attacker to cra
The package open62541/open62541 before 1.2.5, from 1.3-rc1 and before 1.3.1 are vulnerable to Denial of Service (DoS) du
Null pointer dereference in open62541's client library (versions up to 1.5.5) allows a remote OPC UA server to crash a c
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41256
GHSA-r94m-59fw-hm34