Skip to main content

CWE-409

Improper Handling of Highly Compressed Data (Data Amplification)

65 CVEs Avg CVSS 6.8 MITRE
0
CRITICAL
30
HIGH
34
MEDIUM
1
LOW
14
POC
0
KEV

Monthly

CVE-2026-61449 HIGH PATCH This Week

Denial of service in Grav CMS 2.0.1 lets a trusted package source or admin-level uploader bypass the newly added decompression-bomb size cap and exhaust disk space or inodes on the host. The 2.0.1 cap trusts the attacker-forgeable uncompressed size declared in each ZIP central-directory entry rather than the actual inflated stream, so a crafted archive declaring tiny sizes slips past the check while extraction writes the real, far larger payload. This is an incomplete fix for GHSA-928x-9mpw-8h56, corrected in 2.0.2; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Grav
NVD GitHub
CVSS 4.0
7.1
CVE-2026-15709 HIGH This Week

Denial of service in libsoup's WebSocket permessage-deflate implementation lets a remote, unauthenticated attacker crash applications by sending a small, highly compressed 'decompression bomb' that expands without bound during inflation, exhausting memory and triggering an Out-of-Memory kill. All Red Hat Enterprise Linux 6 through 10 ship the affected libsoup HTTP/WebSocket library, and client connections are especially exposed because the decompressed-size guard (max_total_message_size) is disabled by default for clients. There is no public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-12588 MEDIUM This Month

Denial of Service in Trellix HX (versions 10.0.0 and earlier) allows an authenticated network attacker to exhaust appliance resources by submitting a specially crafted highly-compressed file to the HX console, triggering the product's own detection engine to perform runaway decompression. The impact is limited to availability - the EDR appliance becomes unresponsive - but disruption of an endpoint detection and response platform carries secondary operational risk by creating a monitoring blind spot. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists.

Denial Of Service
NVD
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-59193 MEDIUM PATCH This Month

Disk exhaustion and crash vulnerability in Grav's Direct Install tool allows an authenticated admin.super user to upload a specially crafted ZIP archive that decompresses without bound, filling the server disk or crashing the process. Affecting all Grav releases prior to 2.0.0, the root cause is the Installer::unZip method invoking PHP's ZipArchive::extractTo with no enforced limits on uncompressed size, entry count, or directory depth - a classic zip bomb attack surface. No public exploit code or active exploitation has been identified at time of analysis; a vendor-released fix is available in version 2.0.0.

Denial Of Service Grav
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-61455 HIGH PATCH This Week

Denial of service in Grav CMS before 2.0.1 allows authenticated users to exhaust server storage by uploading a crafted ZIP archive (a decompression bomb) that the ZipArchiver::extract() routine expands without enforcing limits on uncompressed size, file count, or nesting depth. The CVSS 4.0 base score of 7.1 reflects a network-reachable, low-privilege flaw whose sole impact is high availability loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Grav
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-59803 HIGH POC PATCH This Week

Uncontrolled resource consumption in the smallnest rpcx Go RPC framework (through 1.9.3) lets a single unauthenticated client crash the server by sending a small (<2 MB) gzip-compressed protocol message that decompresses into gigabytes of heap. Because protocol.Message.Decode inflates the payload via util.Unzip during readRequest - before any authentication - and the only size guard (protocol.MaxMessageLength) is checked against the compressed frame rather than the decompressed output, the server exhausts memory and becomes unavailable. Publicly available exploit code exists and a vendor patch (commit 047aec1) has been released; no public evidence of active exploitation at time of analysis.

Information Disclosure Rpcx
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-59939 PyPI HIGH POC PATCH This Week

Denial of service in the httplib2 Python HTTP client library (all versions prior to 0.32.0) lets a malicious or compromised HTTP server crash the client by returning a small gzip- or deflate-compressed response body that expands without bound during automatic decompression, exhausting memory and triggering a MemoryError or OS OOM-kill. Any application that uses httplib2 to fetch content from untrusted or attacker-controllable endpoints is affected. No public exploit identified at time of analysis; EPSS not provided, but the class is trivially demonstrable and the fix is a one-line-scope behavioral change shipped in 0.32.0.

Python Information Disclosure Httplib2
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-55078 Go MEDIUM PATCH GHSA This Month

Denial of service in Coder's coderd server allows any authenticated user with file-upload access to exhaust server memory by uploading a crafted zip bomb via POST /api/v2/files, crashing the service before RBAC checks execute. Affected versions span all supported release lines prior to v2.34.2, v2.33.8, v2.32.7, and v2.29.17 (ESR). No public exploit has been identified at time of analysis; the impact is strictly an availability loss - the advisory explicitly confirms no data disclosure or code execution is possible, contradicting the 'RCE' tag present in the intelligence feed.

Denial Of Service RCE
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-24264 HIGH This Week

Denial of service in NVIDIA Triton Inference Server for Linux allows remote unauthenticated attackers to exhaust server resources by submitting highly compressed (data-amplification / decompression-bomb) input that the server improperly handles during decompression. The flaw (CWE-409) affects the Linux distribution of Triton and carries a CVSS 7.5 (availability-only impact); there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability - no confidentiality or integrity loss.

Nvidia Denial Of Service Triton Inference Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-13523 LOW POC PATCH Monitor

Unbounded zlib decompression in GPAC up to version 26.02.0 allows a local low-privileged attacker to cause resource exhaustion via a crafted highly-compressed (zip-bomb) payload processed by the ISOBMFF parser and associated filter modules. The affected function `gf_gz_decompress_payload_ex()` in `src/utils/base_encoding.c` applies no ceiling on inflated output size, enabling disproportionate memory or CPU consumption. A public proof-of-concept exists (GitHub issue #3588), but no active exploitation is confirmed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the local-only attack surface and limited availability-only impact.

Information Disclosure Gpac
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVSS 7.1
HIGH PATCH This Week

Denial of service in Grav CMS 2.0.1 lets a trusted package source or admin-level uploader bypass the newly added decompression-bomb size cap and exhaust disk space or inodes on the host. The 2.0.1 cap trusts the attacker-forgeable uncompressed size declared in each ZIP central-directory entry rather than the actual inflated stream, so a crafted archive declaring tiny sizes slips past the check while extraction writes the real, far larger payload. This is an incomplete fix for GHSA-928x-9mpw-8h56, corrected in 2.0.2; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Grav
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Denial of service in libsoup's WebSocket permessage-deflate implementation lets a remote, unauthenticated attacker crash applications by sending a small, highly compressed 'decompression bomb' that expands without bound during inflation, exhausting memory and triggering an Out-of-Memory kill. All Red Hat Enterprise Linux 6 through 10 ship the affected libsoup HTTP/WebSocket library, and client connections are especially exposed because the decompressed-size guard (max_total_message_size) is disabled by default for clients. There is no public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM This Month

Denial of Service in Trellix HX (versions 10.0.0 and earlier) allows an authenticated network attacker to exhaust appliance resources by submitting a specially crafted highly-compressed file to the HX console, triggering the product's own detection engine to perform runaway decompression. The impact is limited to availability - the EDR appliance becomes unresponsive - but disruption of an endpoint detection and response platform carries secondary operational risk by creating a monitoring blind spot. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists.

Denial Of Service
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Disk exhaustion and crash vulnerability in Grav's Direct Install tool allows an authenticated admin.super user to upload a specially crafted ZIP archive that decompresses without bound, filling the server disk or crashing the process. Affecting all Grav releases prior to 2.0.0, the root cause is the Installer::unZip method invoking PHP's ZipArchive::extractTo with no enforced limits on uncompressed size, entry count, or directory depth - a classic zip bomb attack surface. No public exploit code or active exploitation has been identified at time of analysis; a vendor-released fix is available in version 2.0.0.

Denial Of Service Grav
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Grav CMS before 2.0.1 allows authenticated users to exhaust server storage by uploading a crafted ZIP archive (a decompression bomb) that the ZipArchiver::extract() routine expands without enforcing limits on uncompressed size, file count, or nesting depth. The CVSS 4.0 base score of 7.1 reflects a network-reachable, low-privilege flaw whose sole impact is high availability loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Grav
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Uncontrolled resource consumption in the smallnest rpcx Go RPC framework (through 1.9.3) lets a single unauthenticated client crash the server by sending a small (<2 MB) gzip-compressed protocol message that decompresses into gigabytes of heap. Because protocol.Message.Decode inflates the payload via util.Unzip during readRequest - before any authentication - and the only size guard (protocol.MaxMessageLength) is checked against the compressed frame rather than the decompressed output, the server exhausts memory and becomes unavailable. Publicly available exploit code exists and a vendor patch (commit 047aec1) has been released; no public evidence of active exploitation at time of analysis.

Information Disclosure Rpcx
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in the httplib2 Python HTTP client library (all versions prior to 0.32.0) lets a malicious or compromised HTTP server crash the client by returning a small gzip- or deflate-compressed response body that expands without bound during automatic decompression, exhausting memory and triggering a MemoryError or OS OOM-kill. Any application that uses httplib2 to fetch content from untrusted or attacker-controllable endpoints is affected. No public exploit identified at time of analysis; EPSS not provided, but the class is trivially demonstrable and the fix is a one-line-scope behavioral change shipped in 0.32.0.

Python Information Disclosure Httplib2
NVD GitHub VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Denial of service in Coder's coderd server allows any authenticated user with file-upload access to exhaust server memory by uploading a crafted zip bomb via POST /api/v2/files, crashing the service before RBAC checks execute. Affected versions span all supported release lines prior to v2.34.2, v2.33.8, v2.32.7, and v2.29.17 (ESR). No public exploit has been identified at time of analysis; the impact is strictly an availability loss - the advisory explicitly confirms no data disclosure or code execution is possible, contradicting the 'RCE' tag present in the intelligence feed.

Denial Of Service RCE
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Denial of service in NVIDIA Triton Inference Server for Linux allows remote unauthenticated attackers to exhaust server resources by submitting highly compressed (data-amplification / decompression-bomb) input that the server improperly handles during decompression. The flaw (CWE-409) affects the Linux distribution of Triton and carries a CVSS 7.5 (availability-only impact); there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability - no confidentiality or integrity loss.

Nvidia Denial Of Service Triton Inference Server
NVD GitHub
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Unbounded zlib decompression in GPAC up to version 26.02.0 allows a local low-privileged attacker to cause resource exhaustion via a crafted highly-compressed (zip-bomb) payload processed by the ISOBMFF parser and associated filter modules. The affected function `gf_gz_decompress_payload_ex()` in `src/utils/base_encoding.c` applies no ceiling on inflated output size, enabling disproportionate memory or CPU consumption. A public proof-of-concept exists (GitHub issue #3588), but no active exploitation is confirmed in CISA KEV; the CVSS 4.0 score of 4.8 reflects the local-only attack surface and limited availability-only impact.

Information Disclosure Gpac
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy