Velociraptor CVE-2026-6948
MEDIUMSeverity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel.
This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.
AnalysisAI
Velociraptor server versions before 0.76.4 are vulnerable to denial of service via resource exhaustion when a compromised or rogue client sends specially crafted messages through the agent control channel, causing out-of-memory conditions and server crashes. The vulnerability requires authenticated client access but can be triggered by any authenticated agent, making it a realistic threat in environments where client integrity cannot be guaranteed. CVSS score of 4.9 reflects high privileges required (PR:H) but complete availability impact.
Technical ContextAI
Velociraptor is a endpoint visibility and collection agent framework used for digital forensics and incident response. The vulnerability exists in the server's agent control channel - the communication pathway through which authenticated clients send requests and data to the server. The root cause is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), indicating the server fails to implement proper memory allocation guards or rate limiting for inbound messages from authenticated clients. When a client sends specially crafted messages, the server allocates memory without sufficient bounds checking, exhausting available heap memory and triggering out-of-memory crashes that terminate the server process.
Affected ProductsAI
Velociraptor versions prior to 0.76.4 are vulnerable. This includes all 0.76.x releases before patch version 0.76.4, as well as all earlier major/minor versions (0.75.x, 0.74.x, etc.). The vendor advisory is located at https://docs.velociraptor.app/announcements/advisories/cve-2026-6948/. Specific CPE identifiers are not provided in available data, but affected scope is any Velociraptor server deployment running versions below 0.76.4.
RemediationAI
Upgrade Velociraptor server immediately to version 0.76.4 or later, which includes fixes for the resource exhaustion vulnerability. Follow the official upgrade path documented at https://docs.velociraptor.app/announcements/advisories/cve-2026-6948/. Until patching is feasible, implement network-level access controls to restrict which systems can connect as Velociraptor clients - this limits the attack surface to systems you have already verified as trustworthy. Additionally, monitor server memory utilization and process health; configure operating system or container-level memory limits and automatic restart policies to minimize downtime if an OOM event occurs. However, note that these workarounds do not prevent the crash itself, only reduce its impact duration. Prioritize patching as the primary remediation.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today