Skip to main content

Red Hat EUVDEUVD-2026-14732

| CVE-2026-3260 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-24 redhat
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 04:30 euvd
EUVD-2026-14732
Analysis Generated
Mar 24, 2026 - 04:30 vuln.today
CVE Published
Mar 24, 2026 - 04:11 nvd
MEDIUM 5.9

DescriptionCVE.org

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap(), the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).

AnalysisAI

A resource exhaustion vulnerability exists in Undertow where remote attackers can send HTTP GET requests with multipart/form-data content to trigger premature parsing and disk storage of request data, leading to Denial of Service when applications use parameter retrieval methods like getParameterMap(). The vulnerability affects multiple Red Hat products including Enterprise Linux 8, 9, and 10, JBoss Enterprise Application Platform 7 and 8, Red Hat Fuse 7, and several Apache Camel variants. An attacker with network access and no authentication can exhaust server disk resources with moderate attack complexity, causing service unavailability.

Technical ContextAI

The vulnerability resides in Undertow, the Java-based web server component used across Red Hat's enterprise middleware stack. The root cause stems from CWE-770 (Allocation of Resources Without Limits or Throttling), where Undertow prematurely parses and buffers multipart/form-data content to disk without proper resource constraints when an application calls getParameterMap() or similar parameter access methods. This occurs even when such content is semantically invalid in an HTTP GET request, which traditionally should contain only URL-encoded query parameters. The affected products span critical infrastructure components: Red Hat Enterprise Linux 8, 9, and 10 (base operating systems), JBoss Enterprise Application Platform 7 and 8 (application servers), Red Hat Fuse 7 (integration platform), Apache Camel Spring Boot 4 builds, Red Hat Data Grid 8 (caching layer), and Red Hat Single Sign-On 7 (identity management). The Undertow library is a foundational component in the JBoss ecosystem, making this vulnerability broadly impactful across enterprise Java deployments.

RemediationAI

Apply security updates released by Red Hat for affected products immediately, prioritizing critical systems running JBoss Enterprise Application Platform and RHEL deployments. Contact your Red Hat support organization or consult https://access.redhat.com/security/cve/CVE-2026-3260 for version-specific patch availability and errata details. As an interim mitigation before patches are available, implement reverse proxy protections such as request size limits and multipart/form-data rejection for GET requests at the network edge (e.g., nginx or Apache HTTP Server with ModSecurity rules to reject GET requests containing Content-Type: multipart/form-data). Additionally, monitor disk usage on affected systems for anomalies and establish rate limiting on HTTP request processing to prevent rapid resource exhaustion. Configure application-level restrictions to avoid calling getParameterMap() on untrusted request sources where possible, and review custom request handlers for unnecessary parameter parsing.

Vendor StatusVendor

Share

EUVD-2026-14732 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy