Skip to main content

open62541 CVE-2026-33592

| EUVDEUVD-2026-41256 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-02 ENISA GHSA-r94m-59fw-hm34
7.5
CVSS 3.1 · Vendor: ENISA
Share

Severity by source

Vendor (ENISA) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated, pre-session, network-reachable trigger with low complexity gives AV:N/AC:L/PR:N/UI:N; impact is availability-only memory exhaustion, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ENISA).

CVSS VectorVendor: ENISA

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 07:50 vuln.today

DescriptionCVE.org

An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length or array size. An attacker can declare an arbitrarily large string (up to ~3.9 GB) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configuration. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.

AnalysisAI

Remote memory exhaustion in open62541's FindServers Discovery Service lets an unauthenticated attacker crash or degrade OPC UA servers built on versions 1.4.0-1.4.16, 1.5.0-1.5.4, and master. Because the serverUris field of a FindServersRequest is never validated for length or array size, an attacker can declare a string of up to ~3.9 GB and stream it across chunks while withholding the final chunk, forcing the server to buffer everything in RAM until the SecureChannel times out. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach OPC UA discovery port
Delivery
Open SecureChannel (pre-session)
Exploit
Send FindServersRequest with oversized serverUris
Execution
Stream chunks, withhold final chunk
Persist
Server buffers gigabytes in RAM
Impact
Memory exhaustion, denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target expose the OPC UA Discovery Service - specifically the FindServers endpoint - to the attacker over the network; it occurs pre-session and before any security-policy/encryption negotiation, so no credentials, certificates, or user interaction are needed (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5) is internally consistent with the description: network-reachable, low complexity, no privileges, no user interaction, and pure availability impact with no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to an OPC UA server opens a SecureChannel and sends a FindServersRequest whose serverUris field declares a multi-gigabyte string, then streams intermediate chunks while deliberately never sending the final chunk. The server buffers every chunk in RAM until the SecureChannel times out, and by opening several such connections the attacker drives the process into memory exhaustion and denial of service. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the fix from https://github.com/open62541/open62541/pull/8142 (change https://github.com/open62541/open62541/pull/8142/changes/d253818d6c5e870e1db0e360b18138c8bdc809ae) by upgrading to a build that includes it once a tagged 1.4.x/1.5.x release ships, or by cherry-picking the patch into your current build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running open62541 versions 1.4.0-1.4.16, 1.5.0-1.5.4, or master branch; assess network exposure of affected OPC UA endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-33592 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy