TDengine CVE-2026-62353
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Server crash warrants A:H over vendor-assigned A:L; PR:L confirmed by authentication requirement; C:L for single adjacent byte read.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
TDengine is a time-series database optimized for Internet of Things devices. Prior to 3.4.1.14, source/libs/parser/src/parTokenizer.c tGetToken() incremented past a trailing backslash in a SQL string literal such as 'abc\ and read one byte beyond the null terminator, allowing an authenticated user who can submit SQL queries to crash the server and possibly leak adjacent memory. This issue is fixed in version 3.4.1.14.
AnalysisAI
Out-of-bounds read in TDengine's SQL tokenizer (versions prior to 3.4.1.14) allows an authenticated user with SQL query access to crash the database server and potentially leak one byte of adjacent heap memory. The flaw resides in tGetToken() within source/libs/parser/src/parTokenizer.c, triggered by submitting a SQL string literal ending in a bare backslash (e.g., 'abc\). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session to TDengine with permission to submit SQL queries - specifically, PR:L in CVSS terms, meaning at minimum a low-privileged database account. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L reflects a network-reachable, low-complexity flaw requiring only low-privileged authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated TDengine user - or an attacker who has compromised a low-privileged database account - connects to the TDengine server and executes a SQL query containing a string literal with a trailing backslash, such as SELECT * FROM table WHERE name = 'abc\. The tGetToken() parser reads one byte past the end of the string buffer, triggering a process crash and making the TDengine service unavailable until restarted. … |
| Remediation | Upgrade TDengine to version 3.4.1.14 or later, which resolves the off-by-one read in tGetToken() as confirmed by the vendor's GitHub Security Advisory GHSA-5r9p-3j4f-gmgp (https://github.com/taosdata/TDengine/security/advisories/GHSA-5r9p-3j4f-gmgp). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today