Skip to main content

Velociraptor CVE-2026-6948

MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-04 cve@rapid7.com
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 04, 2026 - 00:30 vuln.today
Analysis Generated
May 04, 2026 - 00:22 vuln.today
CVE Published
May 04, 2026 - 00:16 nvd
MEDIUM 4.9

DescriptionCVE.org

Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel.

This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.

AnalysisAI

Velociraptor server versions before 0.76.4 are vulnerable to denial of service via resource exhaustion when a compromised or rogue client sends specially crafted messages through the agent control channel, causing out-of-memory conditions and server crashes. The vulnerability requires authenticated client access but can be triggered by any authenticated agent, making it a realistic threat in environments where client integrity cannot be guaranteed. CVSS score of 4.9 reflects high privileges required (PR:H) but complete availability impact.

Technical ContextAI

Velociraptor is a endpoint visibility and collection agent framework used for digital forensics and incident response. The vulnerability exists in the server's agent control channel - the communication pathway through which authenticated clients send requests and data to the server. The root cause is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), indicating the server fails to implement proper memory allocation guards or rate limiting for inbound messages from authenticated clients. When a client sends specially crafted messages, the server allocates memory without sufficient bounds checking, exhausting available heap memory and triggering out-of-memory crashes that terminate the server process.

Affected ProductsAI

Velociraptor versions prior to 0.76.4 are vulnerable. This includes all 0.76.x releases before patch version 0.76.4, as well as all earlier major/minor versions (0.75.x, 0.74.x, etc.). The vendor advisory is located at https://docs.velociraptor.app/announcements/advisories/cve-2026-6948/. Specific CPE identifiers are not provided in available data, but affected scope is any Velociraptor server deployment running versions below 0.76.4.

RemediationAI

Upgrade Velociraptor server immediately to version 0.76.4 or later, which includes fixes for the resource exhaustion vulnerability. Follow the official upgrade path documented at https://docs.velociraptor.app/announcements/advisories/cve-2026-6948/. Until patching is feasible, implement network-level access controls to restrict which systems can connect as Velociraptor clients - this limits the attack surface to systems you have already verified as trustworthy. Additionally, monitor server memory utilization and process health; configure operating system or container-level memory limits and automatic restart policies to minimize downtime if an OOM event occurs. However, note that these workarounds do not prevent the crash itself, only reduce its impact duration. Prioritize patching as the primary remediation.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

CVE-2026-6948 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy