Skip to main content

Tesla

7 CVEs product

Monthly

CVE-2026-48596 LOW POC PATCH GHSA Monitor

HTTP header injection in the Tesla Elixir HTTP client library (versions 0.8.0 through before 1.18.3) allows untrusted input forwarded into Tesla.Multipart.add_content_type_param/2 to split outbound Content-Type headers by embedding CR (\r) or LF (\n) characters. When Tesla.Multipart.headers/1 joins content_type_params verbatim with "; ", a maliciously crafted param string terminates the current header line and inserts arbitrary headers into the outbound HTTP request sent by the Tesla client to downstream systems. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; however, a vendor-released patch is available in version 1.18.3.

Code Injection Tesla
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-48594 HIGH POC PATCH GHSA This Week

Denial-of-service in elixir-tesla Tesla versions 0.6.0 through 1.18.2 allows remote servers to crash or freeze calling Elixir/BEAM processes by returning a tiny gzip- or deflate-encoded response body that decompresses into gigabytes. The flaw lives in Tesla.Middleware.DecompressResponse / Tesla.Middleware.Compression, which eagerly inflated response bodies with no size cap and recursed once per token in the content-encoding header, so a header of 'gzip, gzip, gzip, gzip' produced exponential amplification. No public exploit identified at time of analysis, but the vendor has shipped a patch in 1.18.3 and the CVSS 4.0 score of 8.2 (VA:H) reflects high availability impact.

Denial Of Service Tesla
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48597 HIGH POC PATCH GHSA This Week

Denial of service in the Elixir Tesla HTTP client (versions 1.3.0 through 1.18.2) when using the Tesla.Adapter.Mint adapter allows remote attackers to crash the entire BEAM VM by exhausting the atom table. Each request whose URL scheme is attacker-controlled mints a fresh, never-garbage-collected atom via String.to_atom/1, and after roughly 1,048,576 such requests the VM terminates. No public exploit identified at time of analysis, but the upstream fix and a regression test that asserts no atoms are minted for unknown schemes are both publicly visible on GitHub.

Denial Of Service Tesla
NVD GitHub
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-48598 LOW POC PATCH GHSA Monitor

{k}="#{v}" with no validation of CR, LF, or double-quote characters, enabling a crafted value to close the quoted parameter early, forge headers like Content-Type, or corrupt the part body. No public exploit is identified at time of analysis, and the CVSS 4.0 score of 2.1 (SI:L only) reflects a narrow integrity impact confined to the downstream system receiving the forged multipart payload.

Code Injection Tesla
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-24199 MEDIUM PATCH This Month

Race condition exploitation in NVIDIA Display Driver's Linux kernel module allows a local authenticated user to cause denial of service by manipulating compiler or processor memory instruction ordering. Affected product lines span GeForce, RTX/Quadro/NVS, Tesla, and vGPU Guest Driver across multiple driver branches up to the March 2026 release. No active exploitation has been confirmed - this is not listed in CISA KEV, EPSS is 0.01% (1st percentile), and SSVC assessment classifies exploitation status as none - placing this firmly in a patch-and-monitor category rather than emergency response.

Denial Of Service Nvidia Race Condition Linux Geforce +4
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-24198 MEDIUM PATCH This Month

Race condition in NVIDIA GPU Display Driver for Linux allows a high-privileged local attacker to leak sensitive kernel or process memory, producing limited information disclosure alongside potential data tampering and denial of service. Affected product lines span GeForce, RTX/Quadro/NVS, and Tesla GPU families running Linux driver branches prior to 580.159.03 or 595.71.05. No public exploit code exists and this vulnerability is absent from the CISA KEV catalog; an EPSS of 0.01% (1st percentile) and SSVC classification of Exploitation: none together place it at the lowest tier of real-world exploitation priority.

Denial Of Service Information Disclosure Nvidia Geforce Rtx Quadro Nvs +1
NVD
CVSS 3.1
5.6
EPSS
0.0%
CVE-2022-37709 MEDIUM POC This Month

Tesla Model 3 V11.0(2022.4.5.1 6b701552d7a6) Tesla mobile app v4.23 is vulnerable to Authentication Bypass by spoofing. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Model 3 Firmware Tesla
NVD GitHub
CVSS 3.1
5.3
EPSS
0.6%
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

HTTP header injection in the Tesla Elixir HTTP client library (versions 0.8.0 through before 1.18.3) allows untrusted input forwarded into Tesla.Multipart.add_content_type_param/2 to split outbound Content-Type headers by embedding CR (\r) or LF (\n) characters. When Tesla.Multipart.headers/1 joins content_type_params verbatim with "; ", a maliciously crafted param string terminates the current header line and inserts arbitrary headers into the outbound HTTP request sent by the Tesla client to downstream systems. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; however, a vendor-released patch is available in version 1.18.3.

Code Injection Tesla
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Denial-of-service in elixir-tesla Tesla versions 0.6.0 through 1.18.2 allows remote servers to crash or freeze calling Elixir/BEAM processes by returning a tiny gzip- or deflate-encoded response body that decompresses into gigabytes. The flaw lives in Tesla.Middleware.DecompressResponse / Tesla.Middleware.Compression, which eagerly inflated response bodies with no size cap and recursed once per token in the content-encoding header, so a header of 'gzip, gzip, gzip, gzip' produced exponential amplification. No public exploit identified at time of analysis, but the vendor has shipped a patch in 1.18.3 and the CVSS 4.0 score of 8.2 (VA:H) reflects high availability impact.

Denial Of Service Tesla
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Denial of service in the Elixir Tesla HTTP client (versions 1.3.0 through 1.18.2) when using the Tesla.Adapter.Mint adapter allows remote attackers to crash the entire BEAM VM by exhausting the atom table. Each request whose URL scheme is attacker-controlled mints a fresh, never-garbage-collected atom via String.to_atom/1, and after roughly 1,048,576 such requests the VM terminates. No public exploit identified at time of analysis, but the upstream fix and a regression test that asserts no atoms are minted for unknown schemes are both publicly visible on GitHub.

Denial Of Service Tesla
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

{k}="#{v}" with no validation of CR, LF, or double-quote characters, enabling a crafted value to close the quoted parameter early, forge headers like Content-Type, or corrupt the part body. No public exploit is identified at time of analysis, and the CVSS 4.0 score of 2.1 (SI:L only) reflects a narrow integrity impact confined to the downstream system receiving the forged multipart payload.

Code Injection Tesla
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Race condition exploitation in NVIDIA Display Driver's Linux kernel module allows a local authenticated user to cause denial of service by manipulating compiler or processor memory instruction ordering. Affected product lines span GeForce, RTX/Quadro/NVS, Tesla, and vGPU Guest Driver across multiple driver branches up to the March 2026 release. No active exploitation has been confirmed - this is not listed in CISA KEV, EPSS is 0.01% (1st percentile), and SSVC assessment classifies exploitation status as none - placing this firmly in a patch-and-monitor category rather than emergency response.

Denial Of Service Nvidia Race Condition +6
NVD VulDB
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Race condition in NVIDIA GPU Display Driver for Linux allows a high-privileged local attacker to leak sensitive kernel or process memory, producing limited information disclosure alongside potential data tampering and denial of service. Affected product lines span GeForce, RTX/Quadro/NVS, and Tesla GPU families running Linux driver branches prior to 580.159.03 or 595.71.05. No public exploit code exists and this vulnerability is absent from the CISA KEV catalog; an EPSS of 0.01% (1st percentile) and SSVC classification of Exploitation: none together place it at the lowest tier of real-world exploitation priority.

Denial Of Service Information Disclosure Nvidia +3
NVD
EPSS 1% CVSS 5.3
MEDIUM POC This Month

Tesla Model 3 V11.0(2022.4.5.1 6b701552d7a6) Tesla mobile app v4.23 is vulnerable to Authentication Bypass by spoofing. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Model 3 Firmware Tesla
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy