Skip to main content

rpcx CVE-2026-59803

| EUVDEUVD-2026-42372 HIGH
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-07-08 VulnCheck GHSA-hgrm-22x6-r8c8
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote, unauthenticated, low-complexity trigger before auth (AV:N/AC:L/PR:N/UI:N) with pure availability impact via OOM; no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 20:33 vuln.today

DescriptionCVE.org

rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode (protocol/message.go). When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in size guard, protocol.MaxMessageLength, is checked against the compressed on-the-wire frame length, not the decompressed size, so it provides no protection. Because decoding (and decompression) occurs in readRequest before authentication, a single unauthenticated connection can send a small (under 2 MB) gzip-compressed message that expands to gigabytes of heap allocation, leading to out-of-memory conditions and service unavailability.

AnalysisAI

Uncontrolled resource consumption in the smallnest rpcx Go RPC framework (through 1.9.3) lets a single unauthenticated client crash the server by sending a small (<2 MB) gzip-compressed protocol message that decompresses into gigabytes of heap. Because protocol.Message.Decode inflates the payload via util.Unzip during readRequest - before any authentication - and the only size guard (protocol.MaxMessageLength) is checked against the compressed frame rather than the decompressed output, the server exhausts memory and becomes unavailable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed rpcx port
Delivery
Craft <2MB gzip bomb frame
Exploit
Set compression flag, send unauthenticated
Execution
Server decompresses in readRequest
Persist
Heap expands to gigabytes
Impact
OOM crashes service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target run an rpcx server (through 1.9.3) reachable over the network and accepting the rpcx binary wire protocol; the attacker must set the message compression flag so the payload is routed through util.Unzip/gzip decompression in protocol.Message.Decode. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a genuine, easy-to-trigger availability risk rather than a paper-high score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a gzip 'bomb' - a highly compressible payload (e.g. gigabytes of repeated bytes) that compresses to under 2 MB - wraps it in an rpcx protocol frame with the compression flag set, and sends it over a single TCP connection to any exposed rpcx server without authenticating. …
Remediation Upstream fix available (commit 047aec1); a released, tagged patched version was not independently confirmed from the provided data, so update to the first rpcx release that includes commit 047aec18efa7d037105e2b72c36dd2ae05e1acc6 (merged via PR #943) - pin to that commit or later if a semver tag beyond 1.9.3 is not yet published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all applications using smallnest rpcx and their deployment scope (production vs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59803 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy