Skip to main content

TDengine CVE-2026-62353

MEDIUM
Out-of-bounds Read (CWE-125)
2026-07-15 security-advisories@github.com
5.4
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
vuln.today AI
7.1 HIGH

Server crash warrants A:H over vendor-assigned A:L; PR:L confirmed by authentication requirement; C:L for single adjacent byte read.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 15, 2026 - 19:33 vuln.today

DescriptionCVE.org

TDengine is a time-series database optimized for Internet of Things devices. Prior to 3.4.1.14, source/libs/parser/src/parTokenizer.c tGetToken() incremented past a trailing backslash in a SQL string literal such as 'abc\ and read one byte beyond the null terminator, allowing an authenticated user who can submit SQL queries to crash the server and possibly leak adjacent memory. This issue is fixed in version 3.4.1.14.

AnalysisAI

Out-of-bounds read in TDengine's SQL tokenizer (versions prior to 3.4.1.14) allows an authenticated user with SQL query access to crash the database server and potentially leak one byte of adjacent heap memory. The flaw resides in tGetToken() within source/libs/parser/src/parTokenizer.c, triggered by submitting a SQL string literal ending in a bare backslash (e.g., 'abc\). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged TDengine credentials
Delivery
Connect to TDengine SQL interface over network
Exploit
Submit SQL query with trailing-backslash string literal
Execution
Trigger off-by-one read in tGetToken()
Impact
Server process crashes (DoS) or leaks adjacent heap byte

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session to TDengine with permission to submit SQL queries - specifically, PR:L in CVSS terms, meaning at minimum a low-privileged database account. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L reflects a network-reachable, low-complexity flaw requiring only low-privileged authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated TDengine user - or an attacker who has compromised a low-privileged database account - connects to the TDengine server and executes a SQL query containing a string literal with a trailing backslash, such as SELECT * FROM table WHERE name = 'abc\. The tGetToken() parser reads one byte past the end of the string buffer, triggering a process crash and making the TDengine service unavailable until restarted. …
Remediation Upgrade TDengine to version 3.4.1.14 or later, which resolves the off-by-one read in tGetToken() as confirmed by the vendor's GitHub Security Advisory GHSA-5r9p-3j4f-gmgp (https://github.com/taosdata/TDengine/security/advisories/GHSA-5r9p-3j4f-gmgp). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-62353 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy