Monthly
OpenClaw before version 2026.3.22 allows remote attackers to trigger denial of service through unbounded memory allocation in HTTP error handling for remote media endpoints. By sending specially crafted HTTP error responses with large bodies, unauthenticated attackers can exhaust application memory, causing availability degradation. The vulnerability requires only network access and no user interaction, making it a practical attack vector for service disruption.
Wasmtime versions 25.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 contain a compiler type-checking bug in the Winch backend where the table.grow operator returns incorrectly typed 64-bit values instead of 32-bit values for 32-bit tables, enabling read/write access to 16 bytes of host memory preceding linear memory and resulting in denial of service when Wasmtime detects the unauthorized access. The vulnerability requires explicit selection of the non-default Winch compiler backend and either disabled guard pages or modified memory layout to achieve information disclosure; default Wasmtime configurations using the Cranelift compiler and standard guard page placement are unaffected. No public exploit code or active exploitation has been identified, though the attack vector is remote and requires low-privilege authenticated access.
OpenTelemetry Go OTLP HTTP exporters allow memory exhaustion when sending telemetry to attacker-controlled or network-intercepted collector endpoints. The trace, metric, and log exporters read unbounded HTTP response bodies into in-memory buffers without size limits, enabling an attacker to force large transient heap allocations and crash the instrumented process via out-of-memory conditions. Attack requires network control of the collector endpoint or man-in-the-middle position (CVSS 5.3, CVSS:3.1/AV:A/AC:H). Upstream fix available (PR #8108); no active exploitation confirmed.
Remote unauthenticated denial-of-service in SoftEther VPN Developer Edition 5.2.5188 and earlier allows attackers to crash the vpnserver process and terminate all active VPN sessions by sending a single malformed EAP-TLS packet over raw L2TP (UDP port 1701). This pre-authentication vulnerability requires no privileges or user interaction (CVSS vector AV:N/AC:L/PR:N/UI:N), enabling trivial service disruption. No public exploit identified at time of analysis, though the attack mechanism is well-documented in vendor advisory GHSA-q5g3-qhc6-pr3h.
NVIDIA Triton Inference Server crashes when processing inference requests with insufficient input validation combined with large output counts, enabling remote denial of service without authentication (CVSS 7.5, EPSS data not available). The vulnerability affects all versions prior to r26.02, with no public exploit identified at time of analysis. Unauthenticated remote attackers can exploit this flaw with low complexity (AV:N/AC:L/PR:N) to completely disrupt machine learning inference services.
Denial of service in MariaDB Server through large packet crashes when the caching_sha2_password authentication plugin is enabled and accounts use it, due to unbounded stack allocation in sha256_crypt_r. Authenticated remote attackers can crash the server by sending a crafted large authentication packet. MariaDB versions before 11.4.10, 11.5.0 through 11.8.5, and 12.0.0 through 12.2.1 are affected. No public exploit code or confirmed active exploitation reported at time of analysis.
Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious DNS over QUIC or DNS over HTTP/3 payloads that force excessive memory allocation. The attack causes the QUIC connection to close abnormally, and in systems with limited memory reserves, can force out-of-memory conditions that terminate the DNSdist process entirely.
NVIDIA Triton Inference Server contains a denial of service vulnerability in its HTTP endpoint that can be exploited by sending large compressed payloads. The vulnerability has a CVSS score of 7.5 (High) and is exploitable remotely without authentication or user interaction. There is no evidence of active exploitation (not in CISA KEV), and no public proof-of-concept has been identified at this time.
Rails Active Storage's Blobs::ProxyController loads entire requested byte ranges into memory before transmission, allowing remote unauthenticated attackers to exhaust server memory and cause denial of service by sending requests with large or unbounded Range headers. This vulnerability affects systems using Active Storage for file serving and requires no user interaction or authentication to exploit. A patch is available.
Metricbeat's Prometheus remote_write HTTP handler is vulnerable to denial of service through excessive memory allocation when processing specially crafted requests from authenticated network-adjacent attackers. An attacker with local privileges can trigger unbounded memory allocation to exhaust system resources and crash the service. No patch is currently available for this vulnerability.
OpenClaw before version 2026.3.22 allows remote attackers to trigger denial of service through unbounded memory allocation in HTTP error handling for remote media endpoints. By sending specially crafted HTTP error responses with large bodies, unauthenticated attackers can exhaust application memory, causing availability degradation. The vulnerability requires only network access and no user interaction, making it a practical attack vector for service disruption.
Wasmtime versions 25.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 contain a compiler type-checking bug in the Winch backend where the table.grow operator returns incorrectly typed 64-bit values instead of 32-bit values for 32-bit tables, enabling read/write access to 16 bytes of host memory preceding linear memory and resulting in denial of service when Wasmtime detects the unauthorized access. The vulnerability requires explicit selection of the non-default Winch compiler backend and either disabled guard pages or modified memory layout to achieve information disclosure; default Wasmtime configurations using the Cranelift compiler and standard guard page placement are unaffected. No public exploit code or active exploitation has been identified, though the attack vector is remote and requires low-privilege authenticated access.
OpenTelemetry Go OTLP HTTP exporters allow memory exhaustion when sending telemetry to attacker-controlled or network-intercepted collector endpoints. The trace, metric, and log exporters read unbounded HTTP response bodies into in-memory buffers without size limits, enabling an attacker to force large transient heap allocations and crash the instrumented process via out-of-memory conditions. Attack requires network control of the collector endpoint or man-in-the-middle position (CVSS 5.3, CVSS:3.1/AV:A/AC:H). Upstream fix available (PR #8108); no active exploitation confirmed.
Remote unauthenticated denial-of-service in SoftEther VPN Developer Edition 5.2.5188 and earlier allows attackers to crash the vpnserver process and terminate all active VPN sessions by sending a single malformed EAP-TLS packet over raw L2TP (UDP port 1701). This pre-authentication vulnerability requires no privileges or user interaction (CVSS vector AV:N/AC:L/PR:N/UI:N), enabling trivial service disruption. No public exploit identified at time of analysis, though the attack mechanism is well-documented in vendor advisory GHSA-q5g3-qhc6-pr3h.
NVIDIA Triton Inference Server crashes when processing inference requests with insufficient input validation combined with large output counts, enabling remote denial of service without authentication (CVSS 7.5, EPSS data not available). The vulnerability affects all versions prior to r26.02, with no public exploit identified at time of analysis. Unauthenticated remote attackers can exploit this flaw with low complexity (AV:N/AC:L/PR:N) to completely disrupt machine learning inference services.
Denial of service in MariaDB Server through large packet crashes when the caching_sha2_password authentication plugin is enabled and accounts use it, due to unbounded stack allocation in sha256_crypt_r. Authenticated remote attackers can crash the server by sending a crafted large authentication packet. MariaDB versions before 11.4.10, 11.5.0 through 11.8.5, and 12.0.0 through 12.2.1 are affected. No public exploit code or confirmed active exploitation reported at time of analysis.
Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious DNS over QUIC or DNS over HTTP/3 payloads that force excessive memory allocation. The attack causes the QUIC connection to close abnormally, and in systems with limited memory reserves, can force out-of-memory conditions that terminate the DNSdist process entirely.
NVIDIA Triton Inference Server contains a denial of service vulnerability in its HTTP endpoint that can be exploited by sending large compressed payloads. The vulnerability has a CVSS score of 7.5 (High) and is exploitable remotely without authentication or user interaction. There is no evidence of active exploitation (not in CISA KEV), and no public proof-of-concept has been identified at this time.
Rails Active Storage's Blobs::ProxyController loads entire requested byte ranges into memory before transmission, allowing remote unauthenticated attackers to exhaust server memory and cause denial of service by sending requests with large or unbounded Range headers. This vulnerability affects systems using Active Storage for file serving and requires no user interaction or authentication to exploit. A patch is available.
Metricbeat's Prometheus remote_write HTTP handler is vulnerable to denial of service through excessive memory allocation when processing specially crafted requests from authenticated network-adjacent attackers. An attacker with local privileges can trigger unbounded memory allocation to exhaust system resources and crash the service. No patch is currently available for this vulnerability.