Skip to main content

CWE-789

Memory Allocation with Excessive Size Value

127 CVEs Avg CVSS 6.7 MITRE
1
CRITICAL
58
HIGH
66
MEDIUM
2
LOW
21
POC
0
KEV

Monthly

CVE-2026-58559 MEDIUM This Month

Uncontrolled memory allocation in Huawei's vibration service crashes affected HarmonyOS and EMUI devices, resulting in a denial-of-service condition impacting device availability. The flaw is remotely triggerable with no privileges required but demands user interaction, consistent with delivery via crafted content such as a malicious application, webpage, or message that exercises the vibration API. No public exploit code or active exploitation has been identified at time of analysis, though Huawei has issued a July 2026 security bulletin addressing the issue.

Information Disclosure Harmony Os Emui
NVD
CVSS 3.1
6.5
CVE-2026-40378 HIGH PATCH Exploit Unlikely This Week

Denial of service in the Windows Local Security Authority Subsystem Service (LSASS) allows a remote, unauthenticated attacker to crash the service and disrupt authentication across all supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. The flaw stems from an excessive-size memory allocation (CWE-789) triggerable over the network with no privileges or user interaction, and while a vendor patch is available, there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability (A:H) with no confidentiality or integrity loss, but LSASS failure can force system instability or reboots, affecting domain authentication and logon.

Authentication Bypass Microsoft Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +16
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-59204 HIGH PATCH This Week

Denial of service in Python Pillow (versions 8.2.0 through 12.2.0) allows remote attackers to exhaust memory during JPEG2000 decoding, causing out-of-memory failures in any application that decodes untrusted images. The flaw stems from Pillow's JPEG2000 decoder summing tile widths across the whole image rather than per tile, so a small crafted tiled file forces disproportionately large transient allocations. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the upstream fix (12.3.0) and a public PR/commit make the root cause fully transparent.

Python Information Disclosure Pillow
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-55213 HIGH This Week

Remote unauthenticated denial of service in the h2o HTTP server (all versions prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1) allows an attacker to crash the server by sending a crafted QPACK instruction over HTTP/3. The flaw causes lib/http3/qpack.c to allocate an ~800 KB on-stack buffer via alloca, overflowing the default musl libc pthread stack and segfaulting on the guard page. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; impact is limited to availability with no data exposure.

Denial Of Service H2O
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-40006 HIGH PATCH This Week

Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the DataNode process when the AirGap pipe receiver is enabled. The receiver's readLength method reads an attacker-controlled 32-bit length field from a raw TCP connection on port 9780 and passes it directly to new byte[length], letting a single connection trigger a heap allocation of up to ~2 GB and exhaust JVM memory. No public exploit has been identified at time of analysis, but exploitation is trivial once the feature is enabled, and Apache has released a fixed version (2.0.10).

Authentication Bypass Apache Apache Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-59938 MEDIUM PATCH This Month

Uncontrolled memory allocation in pypdf prior to 6.14.0 allows remote, unauthenticated attackers to exhaust host memory by submitting a crafted PDF containing image metadata with inflated declared sizes that vastly exceed the actual embedded image data. Any application that uses pypdf to parse untrusted PDFs is exposed; the library allocates memory proportional to the declared (attacker-controlled) size rather than the actual data length. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Python Information Disclosure Pypdf
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-15053 HIGH PATCH This Week

Denial of service in Tanium Server allows remote unauthenticated attackers to exhaust availability of the platform, per vendor advisory TAN-2026-016. The flaw is network-reachable with low complexity and no privileges or user interaction (CVSS 7.5, availability-only impact), and the CWE-789 classification indicates an uncontrolled/excessive memory allocation can be triggered remotely. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Server
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-55079 Go MEDIUM PATCH GHSA This Month

Uncontrolled memory allocation in Coder's provisioner daemon allows an authenticated user to crash the entire coderd deployment with a single ~50-byte network message. The vulnerability exists in the NewDataBuilder function within provisionersdk/proto/dataupload.go, which blindly allocates a byte slice using a client-supplied FileSize field from a DataUpload DRPC message, with no upper-bound validation. By declaring a massive FileSize value such as 1 TiB, an attacker with provisioner daemon credentials can trigger a Go runtime out-of-memory abort, terminating coderd and denying service to all users of the deployment. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis.

Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2026-55379 PyPI HIGH PATCH This Week

Uncontrolled memory allocation in Python Pillow before 12.3.0 lets a crafted BDF font file exhaust available memory and crash the host application. The BdfFontFile parser trusts the attacker-supplied BBX width/height fields and hands them to Image.new() while skipping Pillow's decompression-bomb size check, so a tiny malicious font can request a huge in-memory bitmap. Impact is availability-only (denial of service); there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass Python Pillow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55380 PyPI HIGH PATCH This Week

Denial-of-service via memory exhaustion in Python Pillow before 12.3.0 allows a crafted GD-format (.gd) image to trigger excessive C-heap allocation when opened, because GdImageFile._open() reads image dimensions straight from the GD 2.x header without invoking Pillow's Image._decompression_bomb_check() guard. Any application that loads untrusted .gd files with a vulnerable Pillow version can be crashed or driven into out-of-memory conditions. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 (availability-only impact).

Python Information Disclosure Pillow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVSS 6.5
MEDIUM This Month

Uncontrolled memory allocation in Huawei's vibration service crashes affected HarmonyOS and EMUI devices, resulting in a denial-of-service condition impacting device availability. The flaw is remotely triggerable with no privileges required but demands user interaction, consistent with delivery via crafted content such as a malicious application, webpage, or message that exercises the vibration API. No public exploit code or active exploitation has been identified at time of analysis, though Huawei has issued a July 2026 security bulletin addressing the issue.

Information Disclosure Harmony Os Emui
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in the Windows Local Security Authority Subsystem Service (LSASS) allows a remote, unauthenticated attacker to crash the service and disrupt authentication across all supported Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. The flaw stems from an excessive-size memory allocation (CWE-789) triggerable over the network with no privileges or user interaction, and while a vendor patch is available, there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is limited to availability (A:H) with no confidentiality or integrity loss, but LSASS failure can force system instability or reboots, affecting domain authentication and logon.

Authentication Bypass Microsoft Windows 10 Version 1607 +18
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Python Pillow (versions 8.2.0 through 12.2.0) allows remote attackers to exhaust memory during JPEG2000 decoding, causing out-of-memory failures in any application that decodes untrusted images. The flaw stems from Pillow's JPEG2000 decoder summing tile widths across the whole image rather than per tile, so a small crafted tiled file forces disproportionately large transient allocations. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the upstream fix (12.3.0) and a public PR/commit make the root cause fully transparent.

Python Information Disclosure Pillow
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Remote unauthenticated denial of service in the h2o HTTP server (all versions prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1) allows an attacker to crash the server by sending a crafted QPACK instruction over HTTP/3. The flaw causes lib/http3/qpack.c to allocate an ~800 KB on-stack buffer via alloca, overflowing the default musl libc pthread stack and segfaulting on the guard page. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; impact is limited to availability with no data exposure.

Denial Of Service H2O
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated denial of service in Apache IoTDB (1.0.0 through 2.0.9) allows remote attackers to crash or degrade the DataNode process when the AirGap pipe receiver is enabled. The receiver's readLength method reads an attacker-controlled 32-bit length field from a raw TCP connection on port 9780 and passes it directly to new byte[length], letting a single connection trigger a heap allocation of up to ~2 GB and exhaust JVM memory. No public exploit has been identified at time of analysis, but exploitation is trivial once the feature is enabled, and Apache has released a fixed version (2.0.10).

Authentication Bypass Apache Apache Iotdb
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Uncontrolled memory allocation in pypdf prior to 6.14.0 allows remote, unauthenticated attackers to exhaust host memory by submitting a crafted PDF containing image metadata with inflated declared sizes that vastly exceed the actual embedded image data. Any application that uses pypdf to parse untrusted PDFs is exposed; the library allocates memory proportional to the declared (attacker-controlled) size rather than the actual data length. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Python Information Disclosure Pypdf
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Tanium Server allows remote unauthenticated attackers to exhaust availability of the platform, per vendor advisory TAN-2026-016. The flaw is network-reachable with low complexity and no privileges or user interaction (CVSS 7.5, availability-only impact), and the CWE-789 classification indicates an uncontrolled/excessive memory allocation can be triggered remotely. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Server
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Uncontrolled memory allocation in Coder's provisioner daemon allows an authenticated user to crash the entire coderd deployment with a single ~50-byte network message. The vulnerability exists in the NewDataBuilder function within provisionersdk/proto/dataupload.go, which blindly allocates a byte slice using a client-supplied FileSize field from a DataUpload DRPC message, with no upper-bound validation. By declaring a massive FileSize value such as 1 TiB, an attacker with provisioner daemon credentials can trigger a Go runtime out-of-memory abort, terminating coderd and denying service to all users of the deployment. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis.

Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Uncontrolled memory allocation in Python Pillow before 12.3.0 lets a crafted BDF font file exhaust available memory and crash the host application. The BdfFontFile parser trusts the attacker-supplied BBX width/height fields and hands them to Image.new() while skipping Pillow's decompression-bomb size check, so a tiny malicious font can request a huge in-memory bitmap. Impact is availability-only (denial of service); there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass Python Pillow
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service via memory exhaustion in Python Pillow before 12.3.0 allows a crafted GD-format (.gd) image to trigger excessive C-heap allocation when opened, because GdImageFile._open() reads image dimensions straight from the GD 2.x header without invoking Pillow's Image._decompression_bomb_check() guard. Any application that loads untrusted .gd files with a vulnerable Pillow version can be crashed or driven into out-of-memory conditions. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 (availability-only impact).

Python Information Disclosure Pillow
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy