Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
Network-reachable SQL parser needs low-priv authentication (PR:L) and is easy to trigger (AC:L); single-byte overflow yields reliable DoS (A:H) but only speculative, limited C/I impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
Lifecycle Timeline
3DescriptionCVE.org
TDengine is an open source, time-series database optimized for Internet of Things devices. In 3.4.1.6 and earlier, source/libs/parser/src/parUtil.c trimString() checks space for only one byte before processing SQL string escape sequences \%, \_, or \x, allowing a one-byte out-of-bounds write to the stack buffer tmpTokenBuf that can cause denial of service and potentially remote code execution. This issue is fixed in version 3.4.1.14.
AnalysisAI
Stack-based buffer overflow in TDengine (open-source IoT time-series database) versions 3.4.1.6 and earlier allows an authenticated user to trigger a one-byte out-of-bounds write by submitting SQL containing crafted escape sequences (\%, \_, or \x), leading to denial of service and potentially remote code execution. The flaw sits in the SQL parser's trimString() routine, which validates only a single byte of remaining space in the tmpTokenBuf stack buffer before writing escape-processed data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session capable of submitting SQL to the TDengine engine (CVSS PR:L), and the malicious input must contain one of the specific string-escape sequences \%, \_, or \x within a SQL string literal so that trimString() enters the vulnerable escape-processing path with tmpTokenBuf near full. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 8.3 (High) with vector AV:N/AC:L/PR:L/UI:N, indicating network-reachable, low-complexity exploitation that requires some level of authentication (PR:L) - consistent with the need to submit SQL to the database engine. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a low-privilege TDengine account (or an application service account reachable via SQL injection) submits a query whose string literal contains a crafted \%, \_, or \x escape sequence sized to overflow tmpTokenBuf by one byte. The malformed input corrupts adjacent stack memory during parsing, crashing the server process and denying service to all clients; with significant additional effort and favorable memory layout the same primitive is claimed to be leverageable toward code execution. … |
| Remediation | Vendor-released patch: upgrade to TDengine 3.4.1.14 or later, which corrects the bounds check in trimString(); this is the primary and recommended fix per the vendor advisory at https://github.com/taosdata/TDengine/security/advisories/GHSA-4v5h-fxjw-vrmq. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems running TDengine versions 3.4.1.6 or earlier and document which applications and user accounts have database access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44767