Skip to main content

rsyslog imhttp CVE-2026-55556

CRITICAL
2026-06-23
Share

Severity by source

vuln.today AI
8.2 HIGH

Network-reachable unauthenticated attack against HTTP endpoint; primary impact is heap corruption causing process crash (A:H) with minor heap integrity side-effect (I:L); no confidentiality impact confirmed.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Lifecycle Timeline

3
Patch released
Jun 24, 2026 - 04:00 NVD
Source Code Evidence Fetched
Jun 23, 2026 - 16:16 vuln.today
Analysis Generated
Jun 23, 2026 - 16:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Heap overflow in rsyslog's contributed imhttp module allows remote unauthenticated clients to corrupt the rsyslog process heap by sending an oversized HTTP Basic Authentication header. The root cause is a one-character typo - calloc(0, len) instead of calloc(1, len) - which allocates zero or minimal bytes before the Base64 decoder writes up to len bytes into the buffer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify rsyslog imhttp listener port
Delivery
Send HTTP request with oversized Base64-encoded Basic Auth header
Exploit
Trigger calloc(0, len) zero-byte allocation in parse_auth_header()
Execution
Base64 decode writes full payload into undersized buffer
Impact
Heap corruption causes rsyslog process crash (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires all five of the following conditions to be simultaneously true: (1) rsyslog must have been compiled with the contributed imhttp module enabled (a non-default build option); (2) the imhttp shared object must be installed and present on the target system; (3) the rsyslog configuration must explicitly load imhttp (e.g., `module(load="imhttp")`); (4) HTTP Basic Authentication must be configured for the affected imhttp endpoint via the `basicauthfile` parameter; and (5) the attacker must have TCP network access to the imhttp listener port. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was provided by NVD or the reporter; the assessed CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H (~8.2 High) reflects a network-reachable, unauthenticated attack path with likely DoS impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with TCP access to an rsyslog imhttp listener configured with Basic Authentication sends a single crafted HTTP request containing an oversized Base64-encoded Authorization header - no prior authentication or session state is required. The oversized header passes the `apr_base64_decode_len()` size check, triggering `calloc(0, len)` to return a zero-byte or minimal allocation, after which `apr_base64_decode()` writes the full decoded payload into that buffer, overflowing adjacent heap metadata. …
Remediation The primary remediation is upgrading to rsyslog 8.2604.0 or later, which removes the vulnerable Basic Authentication parser entirely via the auth refactor in commit acde2ba25ea33816694b787859f4a727a247b6d6 (https://github.com/rsyslog/rsyslog/commit/acde2ba25ea33816694b787859f4a727a247b6d6). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all systems running rsyslog with the imhttp module enabled and disable the module if not actively required. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Not-Affected
SLES15-SP6-CHOST-BYOS Not-Affected
SLES15-SP6-CHOST-BYOS-Aliyun Not-Affected
SLES15-SP6-CHOST-BYOS-Azure Not-Affected
SLES15-SP6-CHOST-BYOS-EC2 Not-Affected

Share

CVE-2026-55556 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy