Denial Of Service

Ella Core panics and crashes when processing malformed NGAP handover failure messages from a gNodeB, causing a denial of service for all connected mobile subscribers. An authenticated attacker with high privileges on the radio network can force a gNodeB to send crafted NGAP handover failure messages that trigger a null pointer dereference in Ella Core's handover handler, terminating the core network process. No public exploit code or active exploitation has been identified.

Haraka email server crashes when processing emails with `__proto__` as a header name, enabling remote unauthenticated denial of service. Attackers can send a specially crafted email via SMTP to crash worker processes, disrupting email delivery. In single-process deployments, the entire server becomes unavailable; in cluster mode, all active sessions are terminated. No public exploit identified at time of analysis beyond the published proof-of-concept code, though exploitation requires only basic SMTP access.

Denial of service vulnerability in Nothings stb image library (stb_image.h) affecting GIF decoder function stbi__gif_load_next allows remote attackers to trigger application crashes through specially crafted GIF files. The vulnerability impacts stb versions up to 2.30, requires user interaction to open a malicious GIF, and has publicly available exploit code with no vendor patch available despite early disclosure.

Aiohttp prior to version 3.13.4 allocates entire multipart form fields into memory before validating against the client_max_size limit, enabling unauthenticated remote attackers to cause denial of service through memory exhaustion. The vulnerability affects all versions before 3.13.4 and carries a low CVSS score (2.7) reflecting limited availability impact, with no public exploit code or active exploitation confirmed at time of analysis.

Memory exhaustion vulnerability in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to trigger denial of service via specially crafted HTTP responses containing excessive multipart headers. The vulnerability exploits insufficient memory limits during multipart header parsing, causing the server or client to consume more memory than intended. CVSS 6.6 (medium-high availability impact) with no public exploit code identified at time of analysis.

Unbounded DNS cache in AIOHTTP prior to version 3.13.4 allows remote attackers to cause denial of service through excessive memory consumption. An attacker can trigger repeated DNS lookups with unique hostnames to grow the in-memory cache without bounds, eventually exhausting available system memory. AIOHTTP 3.13.4 and later include a patch that implements cache limits. This is a network-accessible vulnerability requiring no authentication or user interaction, but exploitation requires deliberate attack traffic and does not result in data compromise or system takeover.

Remote code execution in OpenSTAManager v2.10.1 and earlier allows authenticated attackers to achieve unauthenticated RCE via chained exploitation of arbitrary SQL injection (GHSA-2fr7-cc4f-wh98) and insecure PHP deserialization in the oauth2.php endpoint. The unauthenticated oauth2.php file calls unserialize() on attacker-controlled database content without class restrictions, enabling gadget chain exploitation (Laravel/RCE22) to execute arbitrary system commands as www-data. Attack requires initial admin credentials to inject malicious serialized objects via SQL injection, then triggers via anonymous GET request. Vendor-released patch available in v2.10.2. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though detailed proof-of-concept included in advisory with working Python exploit scripts.

Time-based blind SQL injection in OpenSTAManager ≤2.10.1 allows authenticated users to extract complete database contents including credentials, financial records, and PII through multiple AJAX select handlers. The vulnerability affects three core modules (preventivi, ordini, contratti) where the `options[stato]` GET parameter is concatenated directly into SQL WHERE clauses without validation. Exploitation requires only low-privilege authentication (CVSS PR:L) and has been confirmed with working proof-of-concept code demonstrating 10-second SLEEP delays and successful extraction of admin username, bcrypt password hashes, and MySQL version. Vendor-released patches are available in version 2.10.2 via commits 50b9089 and 679c40f. No public exploit identified at time of analysis beyond researcher PoC, with CVSS 8.8 (High) reflecting network accessibility, low complexity, and complete confidentiality/integrity/availability impact.

Memory exhaustion in aiohttp's header and trailer handling allows remote attackers to cause denial of service by sending attacker-controlled HTTP requests or responses with uncapped header/trailer values. The vulnerability affects aiohttp Python library across affected versions, enabling attackers to exhaust application memory without authentication. A mitigation is available via reverse proxy configuration, and upstream patch has been released.

Remote denial of service via integer overflow in Corosync cluster engine affects Red Hat Enterprise Linux 7-10 and OpenShift Container Platform 4. Unauthenticated attackers can send crafted UDP packets to crash Corosync services running in totemudp/totemudpu mode (CVSS 7.5, AV:N/PR:N). EPSS data not provided; no public exploit identified at time of analysis. Impacts high-availability cluster deployments where Corosync provides quorum and messaging services.

Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memory via malformed UDP packets. Affects default totemudp/totemudpu configurations across Red Hat Enterprise Linux 7/8/9/10 and OpenShift Container Platform 4. CVSS 8.2 (High) with network attack vector, low complexity, and no authentication required. EPSS and exploitation status data not available; no public exploit identified at time of analysis. Impacts high-availability clustering infrastructure commonly used in enterprise production environments.

Use-after-free in Linux kernel AppArmor subsystem allows local attackers to cause denial of service or potentially execute code by racing the opening of rawdata profile files against profile removal, triggering access to freed memory in the aa_loaddata structure. The vulnerability exploits an unrefcounted rawdata inode design where concurrent VFS and profile destruction operations create a window for dangling pointer dereference during seq_rawdata_open(). No public exploit code or active exploitation has been identified; the fix involves implementing a double refcount scheme to properly manage rawdata lifecycle.

Linux kernel AppArmor policy namespace implementation allows arbitrary nesting and creation of policy namespaces without enforcing depth limits, enabling local attackers to exhaust system resources through unbounded namespace proliferation. The vulnerability affects AppArmor in the Linux kernel across multiple stable branches. This is a denial-of-service vulnerability requiring local access, with fixes available across stable kernel versions.

Stack exhaustion in AppArmor profile removal allows local denial of service by crafting deeply nested profiles that trigger recursive kernel stack consumption. The Linux kernel's AppArmor security module can be crashed by a local user with permission to load profiles via the apparmor_parser tool and trigger removal through sysfs, causing kernel stack overflow. The fix replaces recursive profile removal with an iterative approach to prevent stack exhaustion.

Use-after-free in Chrome's compositing engine allows remote attackers who have compromised the renderer process to escape the sandbox via crafted HTML pages in Google Chrome prior to version 146.0.7680.178. This high-severity vulnerability requires prior renderer compromise but enables privilege escalation from the sandboxed renderer to system-level access, making it a critical sandbox bypass vector. Vendor-released patch addresses the issue in Chrome 146.0.7680.178 and later.

Use-after-free in Google Chrome's Navigation component prior to version 146.0.7680.178 enables sandbox escape for attackers who have already compromised the renderer process, allowing them to potentially execute arbitrary code with elevated privileges via a malicious HTML page. Chromium rates this as high severity; patch availability confirmed from vendor.

Use-after-free in Chrome's WebView on Android prior to version 146.0.7680.178 allows a remote attacker with a compromised renderer process to escape the sandbox via crafted HTML, potentially leading to arbitrary code execution outside the browser's security boundary. This vulnerability requires prior renderer compromise but eliminates a critical containment layer, classified as High severity by Chromium.

Remote code execution in Google Chrome prior to version 146.0.7680.178 allows attackers to execute arbitrary code within the Chrome sandbox via a specially crafted PDF file. The vulnerability exists in Chrome's PDF handling component and is caused by a use-after-free memory corruption flaw. Patch availability has been confirmed via vendor release, and the Chromium security team has classified this as High severity.

Remote code execution in Google Chrome's CSS engine prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page. The vulnerability stems from a use-after-free memory error in CSS processing, classified as high severity by the Chromium security team. Vendor-released patch available in Chrome 146.0.7680.178 and later.

Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in the Dawn graphics library allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries high severity per Chromium's assessment.

Remote code execution in Google Chrome prior to version 146.0.7680.178 via use-after-free vulnerability in WebGL allows unauthenticated remote attackers to execute arbitrary code within the browser sandbox by delivering a crafted HTML page. The vulnerability is marked as High severity by Chromium security and a vendor-released patch is available.

Remote code execution in Google Chrome prior to 146.0.7680.178 via use-after-free vulnerability in Dawn graphics subsystem allows an attacker who has already compromised the renderer process to execute arbitrary code through a crafted HTML page. This vulnerability requires prior renderer compromise but presents significant risk in multi-process exploitation chains; vendor has released patched version 146.0.7680.178 to address the issue.

Remote code execution in Google Chrome prior to version 146.0.7680.178 via a use-after-free vulnerability in the Dawn graphics component allows attackers who have already compromised the renderer process to execute arbitrary code through a crafted HTML page. The vulnerability requires prior renderer compromise but results in full code execution with high severity per Chromium's security classification.

Remote code execution in Google Chrome prior to 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code within the Chrome sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the WebCodecs component. The vulnerability affects all versions before the patched release and has been addressed by Google with a vendor-released patch; no public exploit code or active exploitation has been confirmed at the time of analysis.

Remote code execution in Google Chrome on Android via use-after-free vulnerability in Web MIDI allows unauthenticated remote attackers to execute arbitrary code through a crafted HTML page. The vulnerability affects Chrome versions prior to 146.0.7680.178 and carries high severity per Chromium's security classification. A vendor-released patch is available.

Denial of service in Foxit PDF Editor and Foxit PDF Reader allows local attackers to crash the application by opening a crafted PDF containing a stamp annotation with missing appearance (AP) data. The vulnerability stems from insufficient validation before dereferencing annotation objects, triggering a null pointer exception. No public exploit code has been identified, and patch availability has not been confirmed from available advisory data.

Foxit PDF Editor and PDF Reader are vulnerable to denial of service via uncontrolled recursion in maliciously crafted PDF documents containing cyclic object references in pages and annotations. When such documents are processed by APIs performing deep object traversal (such as SOAP handlers), the applications exhaust stack memory and crash. The vulnerability requires only local access and no user interaction beyond opening a malicious PDF, making it a practical attack vector for local denial of service.

BEAM VM atom table exhaustion in Ash Framework's Module type allows remote denial-of-service against Elixir applications. The ash package (all versions prior to v3.22.0) unconditionally creates Erlang atoms from user-supplied strings in Ash.Type.Module.cast_input/2 before validation, enabling attackers to crash the entire VM by submitting ~1 million unique 'Elixir.*' strings to any API endpoint with :module-typed attributes. Vendor patch released in commit 7031103 (v3.22.0). No public exploit identified at time of analysis, though the advisory provides detailed proof-of-concept code demonstrating trivial exploitation via repeated API requests.

NULL pointer dereference in Mbed TLS distinguished name (X.509) parsing allows remote attackers to trigger a denial of service by writing to address 0, affecting Mbed TLS versions 3.6.5 and earlier, and 4.0.0. The vulnerability is reachable during X.509 certificate processing and does not require authentication. No public exploit code or active exploitation has been confirmed at the time of analysis.

Buffer overflow in TOTOlink A3600R v5.9c.4959 setAppEasyWizardConfig interface allows remote code execution or denial of service via unvalidated rootSsid parameter in /lib/cste_modules/app.so. The vulnerability affects a Wi-Fi router's configuration endpoint and enables unauthenticated attackers to trigger memory corruption with potential for arbitrary code execution. No CVSS vector or patch status was available at time of analysis.

Denial of service in iccDEV prior to version 2.3.1.6 allows local attackers to crash the iccApplyNamedCmm tool by supplying a malformed ICC color profile that triggers a null-pointer dereference in the CIccCombinedConnectionConditions constructor. The vulnerability requires local file system access to provide the crafted profile and causes application termination with no code execution or data corruption, affecting users processing untrusted ICC profiles through the -PCC flag.

Stack overflow in iccDEV's SIccCalcOp::ArgsUsed() function allows local attackers to trigger a denial of service by supplying a crafted ICC color profile to iccApplyProfiles. The vulnerability affects iccDEV versions prior to 2.3.1.6 and requires no authentication or user interaction; exploitation manifests as application crash during calculator argument computation. No public exploit code or active exploitation has been identified at time of analysis.

Null pointer dereference in iccDEV versions prior to 2.3.1.6 causes denial of service when processing ICC color management profiles with malformed lookup table (LUT) structures. The vulnerability exists in IccTagLut.cpp where CIccApplyCLUT member access occurs without null validation, allowing local attackers to crash applications that parse untrusted color profiles. No public exploit code or active exploitation has been confirmed at time of analysis.

Denial of service via null-pointer dereference in iccDEV prior to version 2.3.1.6 allows local attackers to crash the application by processing a crafted ICC color profile embedded in a TIFF file. The vulnerability exists in the CIccTagLut16::Write() function and requires local file system access but no authentication or user interaction. No public exploit code or active exploitation has been confirmed; the issue is considered moderate severity due to denial-of-service impact only (no code execution or data compromise).

Nuxt OG Image versions prior to 6.2.5 are vulnerable to denial of service through unbounded image dimension parameters in the /_og/d/ endpoint. Attackers can specify arbitrarily large width and height values, causing the image-generation component to consume excessive CPU and memory resources, resulting in application unavailability. No authentication is required to exploit this vulnerability.

Deserialization of untrusted data in NVIDIA BioNeMo Framework enables local attackers to execute arbitrary code, cause denial of service, disclose sensitive information, or tamper with data when users open malicious files. CVSS 7.8 (High) reflects local attack vector requiring user interaction. EPSS data not available; no public exploit identified at time of analysis. Affects NVIDIA BioNeMo Framework, a platform for AI-driven drug discovery and biomolecular research.

Insecure deserialization in NVIDIA BioNeMo Framework enables remote code execution when attackers can induce users to process malicious serialized data. This vulnerability (CWE-502) affects the BioNeMo Framework with network-reachable attack surface (AV:N) and low complexity (AC:L), requiring only user interaction (UI:R) but no authentication (PR:N). The CVSS 8.8 rating reflects critical impacts across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though the deserialization vulnerability class is well-understood and commonly exploited. EPSS data not available for this CVE.

Command injection in NVIDIA Jetson Linux initrd allows physical attackers to execute arbitrary code with elevated privileges across Jetson Xavier, Orin, and Thor series devices. An attacker with physical access can inject malicious command-line arguments during boot without authentication (CVSS:3.1/AV:P/AC:L/PR:N), leading to complete system compromise including root-level code execution, denial of service, and data exfiltration. EPSS data not available; no public exploit identified at time of analysis, though the low attack complexity (AC:L) and physical-only requirement (AV:P) suggest exploitation is straightforward for adversaries with device access.

NVIDIA Jetson system initialization flaw allows authenticated remote attackers to exploit insecure default machine IDs, enabling cross-device information disclosure of encrypted data and tampering. Affects JetPack on Xavier and Orin series devices. CVSS 8.3 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV status not present). The vulnerability enables attackers with low-level privileges to compromise multiple devices sharing identical default machine identifiers, undermining cryptographic protections and system integrity across the device fleet.

DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method accesses a modified DNS packet, triggering a use-after-free condition. This affects DNSdist across all versions and requires network access to send crafted DNS queries, but the attack demands specific Lua code patterns and high attack complexity; no public exploit or active exploitation has been confirmed, and the real-world impact is limited to environments where custom Lua DNS query handlers reference EDNS options.

DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:changeName, DNSResponse:changeName), allowing unauthenticated remote attackers to craft DNS responses that trigger out-of-bounds writes and exceed the 65535-byte DNS packet size limit, resulting in denial of service via crash. CVSS 5.9 (high availability impact); no public exploit code identified at time of analysis.

Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious DNS over QUIC or DNS over HTTP/3 payloads that force excessive memory allocation. The attack causes the QUIC connection to close abnormally, and in systems with limited memory reserves, can force out-of-memory conditions that terminate the DNSdist process entirely.

Out-of-bounds read in PowerDNS dnsdist allows unauthenticated remote attackers to trigger denial of service or potential information disclosure by sending a crafted DNS response packet when custom Lua code uses the newDNSPacketOverlay function to parse packets. CVSS 5.3 indicates moderate severity with network-accessible attack surface and no privilege or user interaction required.

Heap-based buffer overflow in gdk-pixbuf JPEG loader allows unauthenticated remote attackers to trigger denial of service through specially crafted JPEG images without user interaction. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and can be triggered automatically during thumbnail generation operations. With CVSS 7.5 (High) and network-accessible attack vector, this poses significant availability risk. No public exploit identified at time of analysis, though EPSS data not available for final risk quantification.

FreeRDP prior to version 3.24.2 contains a double-free vulnerability in Kerberos authentication handling that crashes FreeRDP clients during NLA connection teardown following failed authentication attempts on systems with Kerberos configured. The vulnerability affects all versions before 3.24.2 across multiple Linux distributions (Debian, Ubuntu) and requires network access but no authentication credentials, presenting a denial-of-service vector against RDP clients in enterprise environments using Kerberos or Kerberos U2U authentication. No public exploit code has been identified, and the impact is limited to availability (denial of service) rather than confidentiality or integrity.

FreeRDP clients before version 3.24.2 crash with SIGABRT when connecting through a malicious RDP Gateway due to an unvalidated auth_length field triggering a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks(). This pre-authentication denial of service affects all FreeRDP clients using RPC-over-HTTP gateway transport, regardless of user authentication status. The vulnerability has been patched in version 3.24.2.

Denial of service in FreeRDP prior to version 3.24.2 allows remote attackers to crash the client via a malicious RDP server sending IMA ADPCM audio data with an invalid step index value (≥89). The unvalidated network-supplied index causes an out-of-bounds access into an 89-entry lookup table, triggering a WINPR_ASSERT() failure and process abort. This affects all FreeRDP clients with audio redirection enabled (the default configuration), requiring user interaction to establish an RDP connection but no authentication. No public exploit code identified at time of analysis.

Remote denial of service in NanoMQ MQTT Broker 0.24.6 allows unauthenticated remote attackers to crash the broker by connecting without credentials when HTTP authentication is enabled with username/password placeholders, triggering a null pointer dereference in the auth_http.c module. The vulnerability requires high attack complexity (user interaction via specific MQTT CONNECT configuration) but results in broker unavailability. Vendor-released patch version 0.24.7 addresses the issue.

Uncaught TypeError in Node.js HTTP server crashes applications when clients send specially crafted `__proto__` headers and code accesses `req.headersDistinct`. The exception occurs synchronously in a property getter, bypassing standard error handling mechanisms and causing immediate service disruption. Affects Node.js versions 20.x, 22.x, 24.x, and 25.x with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only sending a malformed HTTP header with no authentication (CVSS:3.0/AV:N/AC:L/PR:N/UI:N).

Maliciously crafted `.idx` files in go-git v5 cause asymmetric memory consumption leading to Denial of Service through integer overflow vulnerabilities. Exploitation requires local write access to the `.git` directory, limiting attack surface to scenarios where an attacker has already compromised repository access or can inject files into a shared repository. No public exploit code or active exploitation has been confirmed; however, the low CVSS complexity and requirement for only low-privilege local access make this a moderate operational concern for development environments and CI/CD systems that process untrusted repositories.

Remote denial of service in GNU C Library (glibc) 2.43 and earlier allows unauthenticated remote attackers to crash applications via malformed input during character set conversion from IBM1390 or IBM1399 encodings. The vulnerability triggers an assertion failure in the iconv() function with high attack reliability (CVSS 7.5, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Proof-of-concept code exists and CISA SSVC assessment confirms the issue is automatable with partial technical impact, making this a practical denial-of-service vector for any networked application processing untrusted character encoding conversions.

Authenticated denial of service in nginx-ui 2.3.3 and earlier allows any user with settings access to submit a negative integer for the logrotate.interval parameter, triggering an infinite loop in the backend that exhausts CPU resources and renders the web interface unresponsive. Vendor-released patch available in v2.3.4. No public exploit code identified beyond proof-of-concept documentation; not confirmed as actively exploited.

Race condition in nginx-ui web interface allows remote authenticated attackers to corrupt the primary configuration file (app.ini) through concurrent API requests, resulting in persistent denial of service and potential remote code execution. The vulnerability affects nginx-ui versions prior to 2.3.4 deployed in production environments including Docker containers. Concurrent POST requests to /api/settings trigger unsynchronized file writes that interleave at the OS level, corrupting configuration sections and creating cross-contamination between INI fields. In non-deterministic scenarios, user-controlled input can overwrite shell command fields (ReloadCmd, RestartCmd), enabling arbitrary command execution during nginx reload operations. Public exploit code demonstrates the attack path using standard HTTP testing tools. No CISA KEV listing or EPSS data available at time of analysis, but proof-of-concept with detailed reproduction steps exists in the GitHub security advisory.

Authenticated users in nginx-ui v2.3.3 and earlier can delete the entire `/etc/nginx` configuration directory via path traversal using double-encoded sequences (..%252F), causing immediate Nginx service failure and denial of service. The vulnerability exploits improper URL canonicalization combined with unsafe recursive deletion logic that resolves malicious paths to the base configuration directory instead of rejecting them.

Denial of service in MongoDB Server allows authenticated users with limited cluster privileges to crash a mongod process during replica set to sharded cluster promotion, causing potential primary failure. Affects MongoDB 8.2 before 8.2.2, 8.0.18+, and 7.0.31+. No public exploit code or active exploitation confirmed; CVSS 5.3 reflects the narrow attack window and authentication requirement.

Denial of service in Node.js url.format() function allows authenticated remote attackers to crash Node.js processes by supplying malformed internationalized domain names (IDNs) with invalid characters, triggering an assertion failure in native code. CVSS 5.7 (medium severity) with EPSS exploitation probability not independently confirmed. No public exploit code or CISA KEV status identified at time of analysis, but the simplicity of triggering the crash via a standard library function poses moderate real-world risk to production Node.js applications handling untrusted URL input.

Buffer overflow in virtio-win's RhelDoUnMap() function allows local privileged users to trigger a denial of service by supplying an excessive number of descriptors during unmap operations, causing system crashes. Affects Red Hat Enterprise Linux 8, 9, and 10 across multiple architectures. The vulnerability requires high-level privilege (PR:H) but offers no confidentiality or integrity protections beyond the immediate DoS impact, with a CVSS score of 6.7 reflecting the local attack requirement and high-privilege barrier.

Unchecked arithmetic in Rust libp2p-gossipsub heartbeat processing allows remote unauthenticated denial of service via crafted PRUNE control messages. Network-reachable Gossipsub peers can crash vulnerable nodes by sending PRUNE messages with near-maximum backoff values (~i64::MAX), triggering an instant overflow panic during subsequent heartbeat cycles (43-74 seconds later). This is a distinct vulnerability from CVE-2026-33040, affecting a different code path in expiry handling rather than initial insertion. Reported by Ethereum Foundation security team; no public exploit identified at time of analysis, but attack vector is straightforward for any peer capable of establishing libp2p sessions.

Remote denial of service in tinyproxy versions through 1.11.3 allows unauthenticated attackers to exhaust all proxy worker connections via malformed HTTP chunked transfer encoding. An integer overflow in chunk size parsing (using strtol() without ERANGE validation) enables attackers to send LONG_MAX values that bypass size checks and trigger arithmetic overflow during chunklen+2 calculations. This forces the proxy to attempt reading unbounded request body data, holding worker slots indefinitely until all connections are exhausted and new clients are rejected. Upstream fix available (commits bb7edc4, 969852c) but latest stable release 1.11.3 remains unpatched. EPSS data not available; no public exploit identified at time of analysis, though attack complexity is low (CVSS AC:L) and requires no authentication (PR:N).

OpenAirInterface AMF version 2.2.0 crashes during message decoding when processing specific malformed input sequences, enabling a denial of service condition. A remote attacker can trigger a consistent crash by sending specially crafted hex-encoded packets (example: 80 00 00 0E 00 00 01 00 0F 80 02 02 40 00 58 00 01 88) to the AMF component. No public exploit code has been identified, but the crash is reproducible with known input patterns.

Unauthenticated file upload in parisneo/lollms versions ≤2.2.0 enables remote attackers to submit arbitrary files for text extraction without authentication via the `/api/files/extract-text` endpoint. The vulnerability (CWE-287: Improper Authentication) allows resource exhaustion DoS attacks and potential information disclosure, with CVSS 7.5 (High) reflecting network-accessible attack surface requiring no privileges. EPSS data not available; no public exploit identified at time of analysis, though the simplicity (AC:L, PR:N) suggests trivial exploitation once endpoint details are known.

Prototype pollution in MikroORM's Utils.merge function allows attackers to modify JavaScript object prototypes when applications pass untrusted user input into ORM operations. Affects @mikro-orm/core npm package, enabling denial of service and potentially SQL injection when polluted properties influence query construction. No public exploit identified at time of analysis, though GitHub security advisory published by the project maintainers confirms the vulnerability class (CWE-1321).

Deadlock in Linux kernel rust_binder driver occurs when BC_DEAD_BINDER_DONE is invoked on a non-looper thread while the proc lock is held, preventing push_work_if_looper() from safely acquiring the proc lock for work queue delivery. The vulnerability affects the Rust implementation of Android's Binder IPC mechanism and can cause kernel deadlock, potentially resulting in denial of service to affected processes or the entire system depending on thread scheduling.

Resource exhaustion in OpenClaw webhook endpoint allows remote attackers to consume server memory and processing resources via unauthenticated Telegram webhook POST requests. OpenClaw versions prior to 2026.3.13 process and buffer entire request bodies before validating authentication tokens, enabling denial-of-service attacks with no authentication required. CVSS 8.7 (High) reflects network-accessible, low-complexity attack with high availability impact. No public exploit identified at time of analysis, though the attack technique is straightforward given the architectural flaw.

LibJWT versions 3.0.0 through 3.2.x are vulnerable to denial of service through a NULL pointer dereference in RSA-PSS JWK parsing. When processing specially crafted JWK files that substitute integers for expected string values, the library fails to validate input types, causing a crash. This affects applications that import RSA-PSS keys from JWK files, particularly those handling untrusted key sources. No public exploit code has been identified; patch 3.3.0 resolves the issue.

Remote attackers can crash Zebra cryptocurrency nodes (versions <4.3.0) by sending malformed V5 transactions that pass initial deserialization but trigger panics during transaction ID calculation. The vulnerability requires no authentication and can be exploited via a single crafted network message to the P2P port (8233) or through the sendrawtransaction RPC method. No public exploit code has been identified at time of analysis, though the attack mechanism is well-documented in the vendor advisory. EPSS data not available for this CVE.

Denial of service in Open5GS 2.7.6 via malformed CCA (Credit-Control-Answer) messages in the SMF (Session Management Function) component allows remote attackers to crash the service without authentication. The vulnerability affects the smf_gx_cca_cb, smf_gy_cca_cb, and smf_s6b functions in the CCA Message Handler, with publicly available exploit code demonstrating the attack despite high complexity requirements. CVSS 6.3 reflects the availability impact and remote attack vector, though exploitation requires crafted network conditions.

Arbitrary code execution in Adobe Substance3D Stager 3.1.7 and earlier allows local attackers to execute malicious code with user privileges through specially crafted files. Exploitation requires social engineering to trick users into opening weaponized Stager project files. No public exploit identified at time of analysis, though the use-after-free vulnerability class is well-understood and exploitable. CVSS 7.8 (High) reflects significant impact if exploited, though local attack vector and user interaction requirement reduce immediate risk compared to remotely exploitable flaws.

Denial-of-service vulnerability in Fleet device management software prior to version 4.81.0 allows authenticated hosts to crash the entire Fleet server process by sending a malformed log type value to the gRPC Launcher endpoint, disrupting all connected devices, MDM enrollments, and API consumers. The vulnerability requires prior authentication but affects availability across the entire infrastructure. Vendor-released patch: version 4.81.0.

Handlebars.js template engine crashes Node.js processes when compiling templates containing unregistered decorator syntax (e.g., {{*n}}), enabling single-request denial-of-service attacks against applications that accept user-supplied templates. The vulnerability affects the npm package handlebars (pkg:npm/handlebars) and has CVSS score 7.5 (AV:N/AC:L/PR:N/UI:N). A functional proof-of-concept demonstrating the crash exists in the public advisory, confirming exploit code is publicly available. No active exploitation (CISA KEV) has been reported at time of analysis.

The serialize-javascript npm library versions prior to 7.0.5 contain a CPU exhaustion denial-of-service vulnerability triggered when processing specially crafted array-like objects with artificially large length properties, causing the serialization process to hang indefinitely and consume 100% CPU. The vulnerability affects npm package serialize-javascript (pkg:npm/serialize-javascript) and impacts applications that serialize untrusted or user-controlled objects, particularly those also vulnerable to prototype pollution or YAML deserialization attacks that could inject malicious payloads. No public exploit code has been identified, but the attack vector is network-accessible with high complexity, posing a moderate real-world threat in supply-chain and backend service contexts.

Fleet server memory exhaustion via unbounded request bodies allows unauthenticated denial-of-service against multiple HTTP endpoints. The vulnerability affects Fleet v4 (github.com/fleetdm/fleet/v4) and was responsibly disclosed by @fuzzztf. Attackers can exhaust available memory and force server restarts by sending oversized or repeated HTTP requests to unauthenticated endpoints lacking size limits. No public exploit identified at time of analysis, though the attack mechanism is straightforward given the CWE-770 resource allocation vulnerability class.

Prototype pollution in locutus npm package version 2.0.39 through 3.0.24 allows remote attackers to bypass `Object.prototype` pollution guards via a crafted query string passed to the `parse_str` function, enabling authentication bypass, denial of service, or remote code execution in chained attack scenarios where `RegExp.prototype.test` has been previously compromised. Publicly available exploit code exists demonstrating the vulnerability; vendor-released patch available in version 3.0.25.

Prototype pollution in the locutus npm package's unserialize() function allows remote attackers to inject arbitrary properties into deserialized objects by crafting malicious PHP-serialized payloads containing __proto__ keys, enabling authorization bypass, property propagation attacks, and denial of service via method override. The vulnerability affects locutus versions prior to 3.0.25; publicly available exploit code exists demonstrating property injection, for-in propagation to real own properties, and built-in method disruption.

Wazuh Manager authd service through version 4.7.3 fails to properly restrict client-initiated SSL/TLS renegotiation requests, allowing unauthenticated remote attackers to trigger excessive renegotiations that consume CPU resources and cause denial of service. The vulnerability affects the authentication daemon across all Wazuh Manager deployments running vulnerable versions, enabling attackers to render the authd service unavailable with no authentication required and minimal attack complexity.

Denial-of-service vulnerability in python-ecdsa library allows remote attackers to crash applications parsing untrusted DER-encoded private keys through truncated or malformed DER structures. The DER parsing functions accept invalid input that declares a longer byte length than actually provided, subsequently triggering unexpected internal IndexError exceptions instead of cleanly rejecting the malformed data. Publicly available proof-of-concept code demonstrates deterministic crashes via SigningKey.from_der() on mutated DER inputs.

Wazuh Manager authd service through version 4.7.3 fails to properly restrict client-initiated SSL/TLS renegotiation, enabling remote attackers to trigger denial of service by flooding the service with excessive renegotiation requests that exhaust CPU resources and render the authentication daemon unavailable. The vulnerability affects all Wazuh Manager installations up to and including version 4.7.3, requires no authentication or user interaction, and can be exploited over the network by any remote actor. No public exploit code or active exploitation has been confirmed at this time, though the straightforward nature of renegotiation-based DoS attacks and moderate CVSS score of 6.9 indicate practical exploitability.

Wazuh authd daemon contains a heap-buffer overflow vulnerability (CWE-125) triggered by specially crafted input from authenticated remote users, causing memory corruption and denial of service to the authentication daemon. The vulnerability affects all versions of Wazuh (CPE: cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*) and requires authenticated network access to exploit; no public exploit code or active exploitation has been confirmed at this time.

Grafana versions prior to patching are vulnerable to denial-of-service attacks via maliciously crafted resample queries that exhaust server memory and trigger out-of-memory crashes. Authenticated users with query execution privileges can exploit this low-complexity remote vulnerability to disrupt service availability. No public exploit code or confirmed active exploitation has been identified at the time of analysis, though the attack surface is broad given Grafana's widespread deployment in monitoring infrastructure.

Grafana's testdata data-source plugin allows authenticated users to trigger out-of-memory (OOM) crashes, causing a denial of service affecting availability. The vulnerability requires low-privilege user authentication and network access to the affected Grafana instance, enabling local or remote attackers with valid credentials to exhaust server memory resources without user interaction. No public exploit code or active exploitation has been confirmed at the time of analysis.

OX Dovecot Pro mail delivery processes consume excessive CPU resources when processing mail messages containing abnormally high numbers of RFC 2231 MIME parameters, enabling remote denial of service without authentication or user interaction. Unauthenticated remote attackers can craft malicious MIME messages to trigger algorithmic complexity in parameter parsing, degrading mail service availability. No public exploit code is currently known, and patch availability has not been independently confirmed from the provided advisory reference.

OX Dovecot Pro managesieve-login process crashes repeatedly due to memory exhaustion triggered by unauthenticated attackers sending crafted messages. The vulnerability enables remote denial of service against the managesieve protocol without authentication (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), with a CVSS score of 7.5 (High severity). No public exploit identified at time of analysis, and the vendor has released a security advisory with remediation guidance.

OX Dovecot Pro suffers from uncontrolled memory allocation in the NOOP command parser (CWE-400), allowing authenticated remote attackers to exhaust server memory and trigger denial of service. By sending NOOP commands with deeply nested parentheses and withholding the line terminator, an attacker can force ~1 MB allocations per connection that persist indefinitely, enabling a single IP to establish 1000+ concurrent connections and exhaust the virtual memory limit, crashing the process and severing all proxied client connections. No public exploit code is known at time of analysis.

OX Dovecot Pro ManageSieve service crashes when processing AUTHENTICATE commands with SASL initial responses using literal format, enabling unauthenticated remote attackers to repeatedly crash the service and deny availability to legitimate users (CVSS 7.5, High availability impact). The vulnerability affects OX Dovecot Pro installations with ManageSieve enabled. No public exploit identified at time of analysis, and EPSS data was not provided in available intelligence.

Use after free vulnerability in Softing smartLink HW-DP or smartLink HW-PN webserver allows HTTP DoS. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

MyTube prior to version 1.8.72 permits unauthenticated attackers to trigger indefinite account lockouts affecting both administrator and visitor authentication by exploiting a shared, globally-scoped login attempt counter across three publicly accessible password verification endpoints. An attacker can repeatedly send invalid authentication requests to any endpoint, progressively increasing a 24-hour cooldown lockout duration that applies to all endpoints simultaneously, effectively denying legitimate users password-based authentication until the patch is deployed. No public exploit code or active in-the-wild exploitation has been confirmed, but the attack requires no privileges and can be automated trivially.

Stack buffer overflow in LSC Indoor Camera V7.6.32 ONVIF GetStreamUri function allows unauthenticated remote attackers to cause denial of service or execute arbitrary code by sending a crafted SOAP request with an oversized Protocol parameter in the Transport element, bypassing input validation and corrupting the stack return instruction pointer.

Inventory depletion in SourceCodester Pharmacy Product Management System 1.0 allows remote attackers to corrupt stock records by submitting negative values through the add-stock.php 'txtqty' parameter, causing the system to decrease inventory instead of increasing it and enabling denial of service via stock exhaustion. Publicly available exploit code exists demonstrating this business logic flaw, and the affected product lacks CVSS severity quantification despite the demonstrated impact on system integrity and availability.

Path traversal in Incus system container manager allows authenticated remote attackers to write arbitrary files as root on the host via malformed systemd credential configuration keys. Affecting all versions before 6.23.0, this enables both privilege escalation from container to host and denial of service through critical file overwrites. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability, with no public exploit identified at time of analysis. The CVSS 9.9 Critical rating reflects the severe impact of container escape, though the PR:L requirement and lack of active exploitation temper immediate urgency.

Denial of service in Incus prior to version 6.23.0 allows authenticated users with storage bucket access to crash the Incus daemon via specially crafted storage bucket backups, enabling repeated attacks to render the control plane API unavailable while leaving running workloads unaffected. The vulnerability requires local or remote authentication to the Incus system and has a CVSS score of 6.5 (medium severity) with high availability impact. Vendor-released patch available in version 6.23.0.