Skip to main content

open62541 EUVDEUVD-2026-41326

| CVE-2026-11946 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-02 ENISA GHSA-qwmm-q68h-5qf6
7.5
CVSS 3.1 · Vendor: ENISA
Share

Severity by source

Vendor (ENISA) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote, pre-session, unauthenticated and low-complexity (AV:N/AC:L/PR:N/UI:N) with availability-only impact from memory exhaustion (A:H, C/I:N), no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (ENISA).

CVSS VectorVendor: ENISA

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:07 vuln.today

DescriptionCVE.org

An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32 length field) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configurations.

The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.

AnalysisAI

Uncontrolled memory consumption in open62541's OPC UA Discovery Service allows a remote, unauthenticated attacker to crash or degrade servers by abusing the GetEndpoints request handling. Because the endpointUrl field length is never validated, an attacker can advertise a string up to ~4.09 GB and stream it across incomplete message chunks that the server buffers in RAM indefinitely until the SecureChannel times out, exhausting available memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach OPC UA server on port 4840
Delivery
Send GetEndpoints with huge endpointUrl length
Exploit
Stream intermediate chunks, omit final chunk
Execution
Server buffers chunks in RAM
Persist
Open many channels in parallel
Impact
Exhaust memory, deny service

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to the OPC UA Discovery Service endpoint (GetEndpoints, typically TCP 4840) of a server running a vulnerable open62541 build (1.4.0-1.4.16, 1.5.0-1.5.4, or master). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), consistent with a pure availability-impact, unauthenticated, low-complexity network attack - an accurate characterization given the description confirms the attack is remote, pre-session, and requires no credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to an exposed OPC UA server sends a GetEndpointsRequest declaring a multi-gigabyte endpointUrl length, then streams intermediate message chunks while deliberately never transmitting the final chunk. The server buffers each chunk in RAM and holds them until the SecureChannel times out; by opening many such channels in parallel the attacker drives memory exhaustion and denial of service. …
Remediation Patch available per vendor advisory: upgrade open62541 to a fixed release incorporating pull request https://github.com/open62541/open62541/pull/8142 (fix commit d253818d6c5e870e1db0e360b18138c8bdc809ae); an exact tagged patched version was not provided in the input, so confirm the specific release (expected on the 1.4.x and 1.5.x branches) directly with the project before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running open62541 OPC UA implementations and identify those exposed to untrusted networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

EUVD-2026-41326 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy