Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap(), the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).
AnalysisAI
A resource exhaustion vulnerability exists in Undertow where remote attackers can send HTTP GET requests with multipart/form-data content to trigger premature parsing and disk storage of request data, leading to Denial of Service when applications use parameter retrieval methods like getParameterMap(). The vulnerability affects multiple Red Hat products including Enterprise Linux 8, 9, and 10, JBoss Enterprise Application Platform 7 and 8, Red Hat Fuse 7, and several Apache Camel variants. An attacker with network access and no authentication can exhaust server disk resources with moderate attack complexity, causing service unavailability.
Technical ContextAI
The vulnerability resides in Undertow, the Java-based web server component used across Red Hat's enterprise middleware stack. The root cause stems from CWE-770 (Allocation of Resources Without Limits or Throttling), where Undertow prematurely parses and buffers multipart/form-data content to disk without proper resource constraints when an application calls getParameterMap() or similar parameter access methods. This occurs even when such content is semantically invalid in an HTTP GET request, which traditionally should contain only URL-encoded query parameters. The affected products span critical infrastructure components: Red Hat Enterprise Linux 8, 9, and 10 (base operating systems), JBoss Enterprise Application Platform 7 and 8 (application servers), Red Hat Fuse 7 (integration platform), Apache Camel Spring Boot 4 builds, Red Hat Data Grid 8 (caching layer), and Red Hat Single Sign-On 7 (identity management). The Undertow library is a foundational component in the JBoss ecosystem, making this vulnerability broadly impactful across enterprise Java deployments.
RemediationAI
Apply security updates released by Red Hat for affected products immediately, prioritizing critical systems running JBoss Enterprise Application Platform and RHEL deployments. Contact your Red Hat support organization or consult https://access.redhat.com/security/cve/CVE-2026-3260 for version-specific patch availability and errata details. As an interim mitigation before patches are available, implement reverse proxy protections such as request size limits and multipart/form-data rejection for GET requests at the network edge (e.g., nginx or Apache HTTP Server with ModSecurity rules to reject GET requests containing Content-Type: multipart/form-data). Additionally, monitor disk usage on affected systems for anomalies and establish rate limiting on HTTP request processing to prevent rapid resource exhaustion. Configure application-level restrictions to avoid calling getParameterMap() on untrusted request sources where possible, and review custom request handlers for unnecessary parameter parsing.
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14732