Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote, pre-session, unauthenticated and low-complexity (AV:N/AC:L/PR:N/UI:N) with availability-only impact from memory exhaustion (A:H, C/I:N), no scope change.
Primary rating from Vendor (ENISA).
CVSS VectorVendor: ENISA
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32 length field) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configurations.
The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
AnalysisAI
Uncontrolled memory consumption in open62541's OPC UA Discovery Service allows a remote, unauthenticated attacker to crash or degrade servers by abusing the GetEndpoints request handling. Because the endpointUrl field length is never validated, an attacker can advertise a string up to ~4.09 GB and stream it across incomplete message chunks that the server buffers in RAM indefinitely until the SecureChannel times out, exhausting available memory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network access to the OPC UA Discovery Service endpoint (GetEndpoints, typically TCP 4840) of a server running a vulnerable open62541 build (1.4.0-1.4.16, 1.5.0-1.5.4, or master). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), consistent with a pure availability-impact, unauthenticated, low-complexity network attack - an accurate characterization given the description confirms the attack is remote, pre-session, and requires no credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to an exposed OPC UA server sends a GetEndpointsRequest declaring a multi-gigabyte endpointUrl length, then streams intermediate message chunks while deliberately never transmitting the final chunk. The server buffers each chunk in RAM and holds them until the SecureChannel times out; by opening many such channels in parallel the attacker drives memory exhaustion and denial of service. … |
| Remediation | Patch available per vendor advisory: upgrade open62541 to a fixed release incorporating pull request https://github.com/open62541/open62541/pull/8142 (fix commit d253818d6c5e870e1db0e360b18138c8bdc809ae); an exact tagged patched version was not provided in the input, so confirm the specific release (expected on the 1.4.x and 1.5.x branches) directly with the project before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running open62541 OPC UA implementations and identify those exposed to untrusted networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote memory exhaustion in open62541's FindServers Discovery Service lets an unauthenticated attacker crash or degrade
The package open62541/open62541 before 1.2.5, from 1.3-rc1 and before 1.3.1 are vulnerable to Denial of Service (DoS) du
Null pointer dereference in open62541's client library (versions up to 1.5.5) allows a remote OPC UA server to crash a c
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41326
GHSA-qwmm-q68h-5qf6