Skip to main content

TDengine EUVDEUVD-2026-44767

| CVE-2026-62349 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-07-15 security-advisories@github.com
8.3
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
vuln.today AI
7.6 HIGH

Network-reachable SQL parser needs low-priv authentication (PR:L) and is easy to trigger (AC:L); single-byte overflow yields reliable DoS (A:H) but only speculative, limited C/I impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
High

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 21:18 EUVD
Analysis Generated
Jul 15, 2026 - 19:31 vuln.today
CVE Published
Jul 15, 2026 - 19:18 cve.org
HIGH 8.3

DescriptionCVE.org

TDengine is an open source, time-series database optimized for Internet of Things devices. In 3.4.1.6 and earlier, source/libs/parser/src/parUtil.c trimString() checks space for only one byte before processing SQL string escape sequences \%, \_, or \x, allowing a one-byte out-of-bounds write to the stack buffer tmpTokenBuf that can cause denial of service and potentially remote code execution. This issue is fixed in version 3.4.1.14.

AnalysisAI

Stack-based buffer overflow in TDengine (open-source IoT time-series database) versions 3.4.1.6 and earlier allows an authenticated user to trigger a one-byte out-of-bounds write by submitting SQL containing crafted escape sequences (\%, \_, or \x), leading to denial of service and potentially remote code execution. The flaw sits in the SQL parser's trimString() routine, which validates only a single byte of remaining space in the tmpTokenBuf stack buffer before writing escape-processed data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege DB account
Delivery
Submit SQL with crafted \%/\_/\x escape
Exploit
Trigger one-byte OOB write in trimString()
Execution
Corrupt tmpTokenBuf stack memory
Impact
Crash server (DoS) or attempt code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session capable of submitting SQL to the TDengine engine (CVSS PR:L), and the malicious input must contain one of the specific string-escape sequences \%, \_, or \x within a SQL string literal so that trimString() enters the vulnerable escape-processing path with tmpTokenBuf near full. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.3 (High) with vector AV:N/AC:L/PR:L/UI:N, indicating network-reachable, low-complexity exploitation that requires some level of authentication (PR:L) - consistent with the need to submit SQL to the database engine. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a low-privilege TDengine account (or an application service account reachable via SQL injection) submits a query whose string literal contains a crafted \%, \_, or \x escape sequence sized to overflow tmpTokenBuf by one byte. The malformed input corrupts adjacent stack memory during parsing, crashing the server process and denying service to all clients; with significant additional effort and favorable memory layout the same primitive is claimed to be leverageable toward code execution. …
Remediation Vendor-released patch: upgrade to TDengine 3.4.1.14 or later, which corrects the bounds check in trimString(); this is the primary and recommended fix per the vendor advisory at https://github.com/taosdata/TDengine/security/advisories/GHSA-4v5h-fxjw-vrmq. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running TDengine versions 3.4.1.6 or earlier and document which applications and user accounts have database access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44767 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy