Skip to main content

aiwaves-cn agents EUVDEUVD-2026-29202

| CVE-2026-8319 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-11 VulDB GHSA-ch88-c67q-65r9
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 11, 2026 - 20:37 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
May 11, 2026 - 19:47 vuln.today
CVE Published
May 11, 2026 - 18:45 nvd
MEDIUM 5.3

DescriptionCVE.org

A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recall_relevant_memories_to_working_memory of the file core/cat/looking_glass/stray_cat.py of the component cheshire_cat_core. This manipulation causes resource consumption. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Denial of service in aiwaves-cn agents up to commit e8c4e3c2d19739d3dff59e577d1c97090cc15f59 allows remote unauthenticated attackers to exhaust server resources via the recall_relevant_memories_to_working_memory function in cheshire_cat_core component, causing service unavailability. Publicly available exploit code exists (CWE-400: Uncontrolled Resource Consumption). With an CVSS score of 5.3 and EPSS exploitation probability rated 'P', this represents a moderate-severity availability threat suitable for prioritization in resource-constrained environments.

Technical ContextAI

The vulnerability resides in the recall_relevant_memories_to_working_memory function within core/cat/looking_glass/stray_cat.py of the cheshire_cat_core component. This function is part of the memory management subsystem in aiwaves-cn agents, likely handling retrieval and processing of stored memory objects for agent decision-making. The root cause is CWE-400 (Uncontrolled Resource Consumption), indicating inadequate limits on CPU, memory, or I/O resources consumed during memory recall operations. An attacker can craft requests that force excessive resource allocation without proper rate-limiting, input validation, or resource quotas, allowing a single remote connection to degrade service availability for legitimate users.

RemediationAI

Upgrade aiwaves-cn agents to the latest development version beyond commit e8c4e3c2d19739d3dff59e577d1c97090cc15f59 by pulling the latest main branch from https://github.com/aiwaves-cn/agents/ and rebuilding. Since the vendor has not yet responded to the issue report (per CVE description), no official patched release tag exists; verify the fix by checking if the recall_relevant_memories_to_working_memory function in core/cat/looking_glass/stray_cat.py includes resource consumption limits or rate-limiting controls. As an interim compensating control, implement network-level rate-limiting on endpoints that trigger memory recall (block requests exceeding 10-20 calls per second per IP or session), configure process resource limits via systemd cgroups or container resource quotas (e.g., memory cap of 512MB, CPU limit of 50%), and disable or restrict access to the memory recall endpoint to authenticated users only if the business logic permits. Monitor CPU and memory usage patterns for anomalous spikes during normal operation to detect attack attempts. Note the trade-off: IP-based rate-limiting may block legitimate high-frequency agent queries, and memory caps risk agent crashes during peak workload; validate thresholds in a staging environment before production deployment.

Share

EUVD-2026-29202 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy