Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin.
AnalysisAI
Off-by-one error in Velocidex Velociraptor before version 0.76.5 on Windows and Linux causes denial of service when parsing specially crafted .evtx files through the parse_evtx VQL plugin. Local attackers with user-level privileges can crash the Velociraptor process by uploading or providing malformed event log files, disrupting forensic investigations and incident response operations. The vulnerability requires user interaction (file upload/selection) but grants an attacker both integrity and availability impact despite the CVSS 4.4 (Medium) rating.
Technical ContextAI
Velocidex Velociraptor is a digital forensics and incident response (DFIR) platform built with VQL (Velociraptor Query Language). The vulnerability exists in memory parsing functions ConsumeUnit16Array and ConsumeUnit64Array, which handle binary data extraction from Windows Event Log (.evtx) files. These functions suffer from off-by-one errors (CWE-193), where array boundary checks are off by one position, allowing crafted .evtx files to trigger buffer over-read or over-write conditions. The parse_evtx VQL plugin is commonly used by security teams to parse Windows event logs for threat hunting and forensic analysis. The affected CPE indicates all versions prior to 0.76.5 across all platforms are vulnerable.
RemediationAI
Upgrade Velocidex Velociraptor to version 0.76.5 or later on all affected Windows and Linux systems. This patched version corrects the off-by-one errors in the ConsumeUnit16Array and ConsumeUnit64Array functions. Until patching is completed, implement compensating controls: restrict the parse_evtx VQL plugin to trusted analysts only by modifying VQL ACLs in the Velociraptor configuration, validate .evtx files with external tools before processing them through Velociraptor, and use process monitoring/restart mechanisms (e.g., Velociraptor's built-in server auto-restart) to automatically recover from crashes. Note that disabling parse_evtx may limit forensic capabilities for event log analysis. For deployment environments, prioritize patching systems where analysts regularly process untrusted or externally sourced .evtx files. See https://docs.velociraptor.app/announcements/advisories/cve-2026-7572/ for patch download and deployment guidance.
Same weakness CWE-193 – Off-by-one Error
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27516
GHSA-6cmp-qv2f-x97x