Skip to main content

TDengine CVE-2026-42542

| EUVDEUVD-2026-36136 HIGH
Integer Underflow (CWE-191)
2026-06-10 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Single crafted RPC packet over the network with no credentials or user interaction (AV:N/AC:L/PR:N/UI:N); impact limited to taosd crash, so C:N/I:N/A:H, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 22:01 EUVD
Source Code Evidence Fetched
Jun 10, 2026 - 21:18 vuln.today
Analysis Generated
Jun 10, 2026 - 21:18 vuln.today

DescriptionCVE.org

TDengine is an open source, time-series database optimized for Internet of Things devices. In versions 3.4.0.0 through 3.4.1.5, an unauthenticated remote attacker can crash the taosd server process by sending a single crafted RPC packet. No credentials or prior session state are required. Version 3.4.1.6 fixes the issue.

AnalysisAI

Remote unauthenticated denial-of-service in TDengine versions 3.4.0.0 through 3.4.1.5 allows attackers to crash the taosd server process by sending a single crafted RPC packet, with no credentials or prior session state required. The flaw is a CWE-191 integer underflow (vendor tags also reference Integer Overflow) in RPC packet handling, fixed in version 3.4.1.6. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Technical ContextAI

TDengine is an open-source time-series database (cpe:2.3:a:taosdata:tdengine) widely used in IoT telemetry pipelines; the taosd daemon is the core query/storage process that accepts client and cluster traffic over a proprietary RPC protocol. The weakness is classified as CWE-191 (Integer Underflow / Wraparound), which typically occurs when a length, offset, or size field in a packet header is subtracted or cast without sufficient bounds checking, producing an unexpectedly large unsigned value that drives downstream memory operations into invalid states and triggers a process crash. The vendor-applied tag of Integer Overflow alongside CWE-191 indicates the bug arises in arithmetic on attacker-controlled length fields inside the RPC parser, where a single malformed packet is sufficient to abort taosd.

RemediationAI

Vendor-released patch: 3.4.1.6 - upgrade all taosd nodes from any 3.4.0.0-3.4.1.5 build to 3.4.1.6 as published at https://github.com/taosdata/TDengine/releases/tag/ver-3.4.1.6, following guidance in advisory GHSA-vg95-j2hf-hvjx. Where immediate upgrade is not possible, restrict network reachability of the taosd RPC port (default 6030) to known client and cluster peers via host firewalls, security groups, or a service-mesh allowlist, which fully blocks the unauthenticated attack vector but breaks any legitimate client that connects from outside the allowlisted range. Monitor taosd for unexpected process exits and configure the supervisor (systemd, Kubernetes liveness probes, or taosKeeper) to auto-restart, accepting that this only reduces outage duration and does not prevent repeated crash loops if an attacker keeps sending the malformed packet.

Share

CVE-2026-42542 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy