Skip to main content

Velocidex Velociraptor EUVDEUVD-2026-27516

| CVE-2026-7572 MEDIUM
Off-by-one Error (CWE-193)
2026-05-06 rapid7 GHSA-6cmp-qv2f-x97x
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
May 06, 2026 - 04:01 EUVD
Analysis Generated
May 06, 2026 - 03:30 vuln.today

DescriptionCVE.org

An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin.

AnalysisAI

Off-by-one error in Velocidex Velociraptor before version 0.76.5 on Windows and Linux causes denial of service when parsing specially crafted .evtx files through the parse_evtx VQL plugin. Local attackers with user-level privileges can crash the Velociraptor process by uploading or providing malformed event log files, disrupting forensic investigations and incident response operations. The vulnerability requires user interaction (file upload/selection) but grants an attacker both integrity and availability impact despite the CVSS 4.4 (Medium) rating.

Technical ContextAI

Velocidex Velociraptor is a digital forensics and incident response (DFIR) platform built with VQL (Velociraptor Query Language). The vulnerability exists in memory parsing functions ConsumeUnit16Array and ConsumeUnit64Array, which handle binary data extraction from Windows Event Log (.evtx) files. These functions suffer from off-by-one errors (CWE-193), where array boundary checks are off by one position, allowing crafted .evtx files to trigger buffer over-read or over-write conditions. The parse_evtx VQL plugin is commonly used by security teams to parse Windows event logs for threat hunting and forensic analysis. The affected CPE indicates all versions prior to 0.76.5 across all platforms are vulnerable.

RemediationAI

Upgrade Velocidex Velociraptor to version 0.76.5 or later on all affected Windows and Linux systems. This patched version corrects the off-by-one errors in the ConsumeUnit16Array and ConsumeUnit64Array functions. Until patching is completed, implement compensating controls: restrict the parse_evtx VQL plugin to trusted analysts only by modifying VQL ACLs in the Velociraptor configuration, validate .evtx files with external tools before processing them through Velociraptor, and use process monitoring/restart mechanisms (e.g., Velociraptor's built-in server auto-restart) to automatically recover from crashes. Note that disabling parse_evtx may limit forensic capabilities for event log analysis. For deployment environments, prioritize patching systems where analysts regularly process untrusted or externally sourced .evtx files. See https://docs.velociraptor.app/announcements/advisories/cve-2026-7572/ for patch download and deployment guidance.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

EUVD-2026-27516 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy