Skip to main content

CWE-404

Improper Resource Shutdown or Release

596 CVEs Avg CVSS 5.5 MITRE
2
CRITICAL
190
HIGH
269
MEDIUM
134
LOW
305
POC
5
KEV

Monthly

CVE-2026-15276 LOW Monitor

Denial of service in pdeljanov Symphonia up to version 0.6.0 can be triggered locally by a low-privileged attacker who supplies a crafted audio file to the Metadata Handler component, causing improper resource release and application unavailability. The root cause is CWE-404 (Improper Resource Shutdown or Release) within the metadata parsing subsystem, with no impact on confidentiality or data integrity. A proof-of-concept exploit has been published; however, no patched release exists as the upstream fix (PR #514) remains unmerged at time of analysis.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15274 LOW Monitor

Denial-of-service in fbxcel up to 0.9.0 allows a local, low-privileged attacker to crash any application embedding this Rust FBX-parsing library by supplying a crafted FBX file that triggers improper resource handling in the v7400 Node Header Handler. Impact is limited to availability with no confidentiality or integrity consequence, consistent with the CVSS 4.0 base score of 1.9. A public proof-of-concept exists (CVSS 4.0 E:P), though exploitation is constrained entirely to local access paths; no KEV listing or active exploitation has been reported.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-59725 HIGH PATCH This Week

Denial of service in Socket.IO (Engine.IO server) from 4.1.0 before 6.6.7 lets a remote unauthenticated attacker exhaust server-side connections and sockets by sending invalid binary POST requests. When the Engine.IO v4 polling transport receives a malformed binary payload with Content-Type: application/octet-stream, it fails to close the HTTP response, leaking the underlying socket until connection and file-descriptor limits are reached. No public exploit identified at time of analysis; the flaw is fixed in engine.io 6.6.7.

Information Disclosure Socket Io
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-14650 LOW Monitor

Local denial-of-service in the grass Rust-based Sass compiler (versions up to and including 0.13.4) is triggerable by a local, low-privileged user who supplies crafted UTF-8 input to the `grass_compiler::raw_to_parse_error` function. Publicly available exploit code exists (CVSS 4.0 E:P), though no CISA KEV listing has been issued. The project maintainer has explicitly stated in Issue #117 that DoS in Sass compilers is considered acceptable behavior due to the inherently exponential nature of the @extend algorithm and other compile-time constructs, significantly reducing the urgency of a vendor-released fix.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-14651 LOW POC Monitor

Denial-of-service in the grass Sass compiler (up to v0.13.4) allows a local attacker with low privileges to trigger exponential resource consumption via a crafted stylesheet using the CSS @extend directive. The affected functions are grass_compiler::selector::extend and grass_compiler::evaluate::visitor, where the @extend algorithm's inherently exponential complexity can be exploited with a maliciously constructed input to hang or crash the compiler process. A public exploit has been disclosed; however, the project maintainer explicitly contests the severity, noting that DoS conditions are an accepted and expected limitation of Sass compilers by design.

Denial Of Service Grass
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-14626 LOW Monitor

Denial of service in NousResearch hermes-agent (versions up to 2026.4.30) is triggered by manipulating the `todos` argument passed to the `AIAgent.run_conversation` function via the HTTP API in `run_agent.py`. An authenticated remote attacker can send a crafted request to crash or resource-exhaust the agent process, disrupting availability for legitimate users. No public exploit identified at time of analysis is incorrect here - a public exploit exists (E:P in CVSS 4.0 vector; GitHub Gist referenced), and the vendor has not responded to disclosure, leaving no patch available.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14624 LOW POC PATCH Monitor

Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allows remote low-privileged attackers to crash the AMF process by sending a malformed NGSetupRequest message over the NGAP interface. A publicly available proof-of-concept exploit exists via GitHub issue #677, lowering the exploitation barrier substantially. No CISA KEV listing exists, but given the AMF's role as the central mobility and registration anchor in 5G core infrastructure, even a partial service disruption can deny connectivity across entire served cell areas.

Denial Of Service Amf
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14623 LOW POC PATCH Monitor

Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privileged remote attacker to crash or degrade the NGAP Message Handler by submitting a crafted RRCInactiveTransitionReport message, exploiting improper resource release (CWE-404). The vulnerability affects the 5G core network control plane component responsible for UE mobility and session management, making it a high-value target in operator and research 5G deployments. No active exploitation is confirmed via CISA KEV, but a public proof-of-concept has been disclosed via GitHub issue #676 and a patch commit exists.

Denial Of Service Amf
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.5%
CVE-2026-14618 LOW POC PATCH Monitor

Denial of service in the Open5GS AMF component (versions up to 2.7.7) can be triggered remotely by a low-privileged attacker via improper resource handling in the `amf_nnrf_handle_nf_discover` function of `src/amf/nnrf-handler.c`. The AMF is a critical 5G core control-plane element; crashing or hanging it disrupts mobility management and NF discovery for all connected UEs and network functions. A public proof-of-concept exists (GitHub issue #4517), and a patch commit has been identified, though the fix originates in a fork rather than the mainline repository.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-12575 HIGH This Week

Denial of service in Delta Electronics DVP80ES3 programmable logic controllers arises from an improper resource shutdown or release flaw (CWE-404) that lets remote unauthenticated attackers exhaust or corrupt device resources. Per the CVSS vector the impact is limited to availability (A:H) with no confidentiality or integrity loss, meaning a successful attacker can crash or hang the PLC and disrupt the controlled industrial process. No public exploit identified at time of analysis; the issue is documented in Delta advisory Delta-PCSA-2026-00009, which bundles it with CVE-2026-12576 and CVE-2026-12577.

Information Disclosure Dvp80Es3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
EPSS 0% CVSS 1.9
LOW Monitor

Denial of service in pdeljanov Symphonia up to version 0.6.0 can be triggered locally by a low-privileged attacker who supplies a crafted audio file to the Metadata Handler component, causing improper resource release and application unavailability. The root cause is CWE-404 (Improper Resource Shutdown or Release) within the metadata parsing subsystem, with no impact on confidentiality or data integrity. A proof-of-concept exploit has been published; however, no patched release exists as the upstream fix (PR #514) remains unmerged at time of analysis.

Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW Monitor

Denial-of-service in fbxcel up to 0.9.0 allows a local, low-privileged attacker to crash any application embedding this Rust FBX-parsing library by supplying a crafted FBX file that triggers improper resource handling in the v7400 Node Header Handler. Impact is limited to availability with no confidentiality or integrity consequence, consistent with the CVSS 4.0 base score of 1.9. A public proof-of-concept exists (CVSS 4.0 E:P), though exploitation is constrained entirely to local access paths; no KEV listing or active exploitation has been reported.

Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Socket.IO (Engine.IO server) from 4.1.0 before 6.6.7 lets a remote unauthenticated attacker exhaust server-side connections and sockets by sending invalid binary POST requests. When the Engine.IO v4 polling transport receives a malformed binary payload with Content-Type: application/octet-stream, it fails to close the HTTP response, leaking the underlying socket until connection and file-descriptor limits are reached. No public exploit identified at time of analysis; the flaw is fixed in engine.io 6.6.7.

Information Disclosure Socket Io
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW Monitor

Local denial-of-service in the grass Rust-based Sass compiler (versions up to and including 0.13.4) is triggerable by a local, low-privileged user who supplies crafted UTF-8 input to the `grass_compiler::raw_to_parse_error` function. Publicly available exploit code exists (CVSS 4.0 E:P), though no CISA KEV listing has been issued. The project maintainer has explicitly stated in Issue #117 that DoS in Sass compilers is considered acceptable behavior due to the inherently exponential nature of the @extend algorithm and other compile-time constructs, significantly reducing the urgency of a vendor-released fix.

Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Denial-of-service in the grass Sass compiler (up to v0.13.4) allows a local attacker with low privileges to trigger exponential resource consumption via a crafted stylesheet using the CSS @extend directive. The affected functions are grass_compiler::selector::extend and grass_compiler::evaluate::visitor, where the @extend algorithm's inherently exponential complexity can be exploited with a maliciously constructed input to hang or crash the compiler process. A public exploit has been disclosed; however, the project maintainer explicitly contests the severity, noting that DoS conditions are an accepted and expected limitation of Sass compilers by design.

Denial Of Service Grass
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Denial of service in NousResearch hermes-agent (versions up to 2026.4.30) is triggered by manipulating the `todos` argument passed to the `AIAgent.run_conversation` function via the HTTP API in `run_agent.py`. An authenticated remote attacker can send a crafted request to crash or resource-exhaust the agent process, disrupting availability for legitimate users. No public exploit identified at time of analysis is incorrect here - a public exploit exists (E:P in CVSS 4.0 vector; GitHub Gist referenced), and the vendor has not responded to disclosure, leaving no patch available.

Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Denial of service in omec-project's 5G Access and Mobility Management Function (AMF) versions up to 2.0.2 and 2.1.1 allows remote low-privileged attackers to crash the AMF process by sending a malformed NGSetupRequest message over the NGAP interface. A publicly available proof-of-concept exploit exists via GitHub issue #677, lowering the exploitation barrier substantially. No CISA KEV listing exists, but given the AMF's role as the central mobility and registration anchor in 5G core infrastructure, even a partial service disruption can deny connectivity across entire served cell areas.

Denial Of Service Amf
NVD VulDB GitHub
EPSS 1% CVSS 2.1
LOW POC PATCH Monitor

Denial of service in omec-project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows a low-privileged remote attacker to crash or degrade the NGAP Message Handler by submitting a crafted RRCInactiveTransitionReport message, exploiting improper resource release (CWE-404). The vulnerability affects the 5G core network control plane component responsible for UE mobility and session management, making it a high-value target in operator and research 5G deployments. No active exploitation is confirmed via CISA KEV, but a public proof-of-concept has been disclosed via GitHub issue #676 and a patch commit exists.

Denial Of Service Amf
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Denial of service in the Open5GS AMF component (versions up to 2.7.7) can be triggered remotely by a low-privileged attacker via improper resource handling in the `amf_nnrf_handle_nf_discover` function of `src/amf/nnrf-handler.c`. The AMF is a critical 5G core control-plane element; crashing or hanging it disrupts mobility management and NF discovery for all connected UEs and network functions. A public proof-of-concept exists (GitHub issue #4517), and a patch commit has been identified, though the fix originates in a fork rather than the mainline repository.

Denial Of Service Open5gs
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in Delta Electronics DVP80ES3 programmable logic controllers arises from an improper resource shutdown or release flaw (CWE-404) that lets remote unauthenticated attackers exhaust or corrupt device resources. Per the CVSS vector the impact is limited to availability (A:H) with no confidentiality or integrity loss, meaning a successful attacker can crash or hang the PLC and disrupt the controlled industrial process. No public exploit identified at time of analysis; the issue is documented in Delta advisory Delta-PCSA-2026-00009, which bundles it with CVE-2026-12576 and CVE-2026-12577.

Information Disclosure Dvp80Es3
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy