Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Single crafted RPC packet over the network with no credentials or user interaction (AV:N/AC:L/PR:N/UI:N); impact limited to taosd crash, so C:N/I:N/A:H, scope unchanged.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
TDengine is an open source, time-series database optimized for Internet of Things devices. In versions 3.4.0.0 through 3.4.1.5, an unauthenticated remote attacker can crash the taosd server process by sending a single crafted RPC packet. No credentials or prior session state are required. Version 3.4.1.6 fixes the issue.
AnalysisAI
Remote unauthenticated denial-of-service in TDengine versions 3.4.0.0 through 3.4.1.5 allows attackers to crash the taosd server process by sending a single crafted RPC packet, with no credentials or prior session state required. The flaw is a CWE-191 integer underflow (vendor tags also reference Integer Overflow) in RPC packet handling, fixed in version 3.4.1.6. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Technical ContextAI
TDengine is an open-source time-series database (cpe:2.3:a:taosdata:tdengine) widely used in IoT telemetry pipelines; the taosd daemon is the core query/storage process that accepts client and cluster traffic over a proprietary RPC protocol. The weakness is classified as CWE-191 (Integer Underflow / Wraparound), which typically occurs when a length, offset, or size field in a packet header is subtracted or cast without sufficient bounds checking, producing an unexpectedly large unsigned value that drives downstream memory operations into invalid states and triggers a process crash. The vendor-applied tag of Integer Overflow alongside CWE-191 indicates the bug arises in arithmetic on attacker-controlled length fields inside the RPC parser, where a single malformed packet is sufficient to abort taosd.
RemediationAI
Vendor-released patch: 3.4.1.6 - upgrade all taosd nodes from any 3.4.0.0-3.4.1.5 build to 3.4.1.6 as published at https://github.com/taosdata/TDengine/releases/tag/ver-3.4.1.6, following guidance in advisory GHSA-vg95-j2hf-hvjx. Where immediate upgrade is not possible, restrict network reachability of the taosd RPC port (default 6030) to known client and cluster peers via host firewalls, security groups, or a service-mesh allowlist, which fully blocks the unauthenticated attack vector but breaks any legitimate client that connects from outside the allowlisted range. Monitor taosd for unexpected process exits and configure the supervisor (systemd, Kubernetes liveness probes, or taosKeeper) to auto-restart, accepting that this only reduces outage duration and does not prevent repeated crash loops if an attacker keeps sending the malformed packet.
Same weakness CWE-191 – Integer Underflow
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36136