Skip to main content

Synapse EUVDEUVD-2026-32935

| CVE-2026-45078 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-14 https://github.com/element-hq/synapse GHSA-8q93-326v-3m7g
6.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 28, 2026 - 17:22 NVD
6.8 (MEDIUM)
Source Code Evidence Fetched
May 14, 2026 - 17:02 vuln.today
Analysis Generated
May 14, 2026 - 17:02 vuln.today
CVE Published
May 14, 2026 - 16:18 nvd
HIGH

DescriptionGitHub Advisory

Impact

Local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service.

Homeservers that trust all their local users are not at risk.

Patches

Update to Synapse 1.152.1 or later.

Workarounds

If Synapse is deployed behind a reverse proxy, the reverse proxy could be configured to limit the rate of user requests, preventing or increasing the difficulty of the attack.

Identifiers

  • ELEMENTSEC-2026-1706

For more information

If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).

AnalysisAI

Matrix Synapse homeserver versions prior to 1.152.1 allow authenticated local users to trigger CPU starvation that denies service to other users by exploiting unbounded lock timeout intervals in the WorkerLock implementation. Synapse deployments that do not trust all local users face service availability risk from malicious authenticated accounts. Vendor-released patch available in version 1.152.1 (GitHub commit 3f58bc50dfba5768ee43ce48c5e74c25ba0b078a confirms fix). No public exploit identified at time of analysis, though the attack mechanism is straightforward for any authenticated user.

Technical ContextAI

Synapse is the reference Python-based Matrix homeserver implementation (matrix-synapse pip package). This vulnerability stems from CWE-400 (Uncontrolled Resource Consumption) in the WorkerLock and WaitingMultiLock classes within synapse/handlers/worker_lock.py. The code previously used an exponentially increasing retry interval with no upper bound when waiting to acquire locks - the _retry_interval could grow indefinitely via max(5, next * 2) until exceeding 10 minutes before logging a warning. GitHub commit evidence shows the fix caps timeout intervals at 60 seconds (WORKER_LOCK_MAX_RETRY_INTERVAL) and adds early warning logging at 10 minutes of lock contention. Malicious authenticated users could intentionally hold locks or create lock contention scenarios, forcing other requests into exponentially increasing wait states that consume CPU cycles checking for lock availability, eventually starving legitimate request processing threads.

RemediationAI

Upgrade Matrix Synapse to version 1.152.1 or later via pip (pip install --upgrade matrix-synapse==1.152.1). The fix commit 3f58bc50dfba5768ee43ce48c5e74c25ba0b078a caps WorkerLock timeout intervals at 60 seconds maximum and adds deadlock detection warnings after 10 minutes of lock contention. For environments unable to immediately upgrade, deploy a reverse proxy (nginx, Trafficserver, HAProxy) configured with per-user rate limiting to constrain request volumes from authenticated users - this increases attack difficulty but does not eliminate the vulnerability since legitimate authenticated users still need reasonable request rates. Rate limiting trade-off: overly aggressive limits may impact legitimate client sync operations and large room operations; start with generous limits and monitor for abuse patterns. Full advisory and patch details at https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-32935 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy