Denial of Service

Varnish Cache 9.0.0 crashes (denial of service) when a remote client exploits timing between timeout_linger and timeout_idle to trigger HTTP/1 request pipelining that causes a workspace overflow in the refactored HTTP/2 architecture. The vulnerability stems from incomplete code path handling during workspace rollback in the recent non-blocking port, allowing prefetched data to exceed workspace_client boundaries and panic the daemon. Vendor-released patch: version 9.0.1. No public exploit code identified at time of analysis, but the attack requires only network access and careful timing, making real-world exploitation feasible for sophisticated attackers.

Varnish Enterprise before version 6.0.16r12 is vulnerable to a workspace overflow denial of service attack that crashes the daemon through the headerplus.write_req0() VCL function. Unauthenticated remote attackers can craft HTTP requests with excessive header fields to trigger a panic and terminate the Varnish server, particularly impacting deployments using shared VCL through Varnish Controller. CVSS base score of 4.0 reflects low availability impact with high attack complexity, and no public exploit code or confirmed active exploitation has been identified.

Denial of service via workspace overflow in Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows unauthenticated remote attackers to trigger daemon panic through HTTP/2 session upgrade with specific amounts of prefetched data. The vulnerability exploits improper buffer allocation during HTTP/1 to HTTP/2 transport upgrade, causing workspace exhaustion on subsequent pipelined fetch operations. EPSS score of 4.0 (low-to-medium risk) reflects attack complexity and limited scope (local availability impact only), though no public exploit code or active exploitation has been confirmed.

Integer underflow in libexif version 0.6.25 and earlier during Fuji and Olympus MakerNote decoding allows local attackers to crash applications or leak sensitive memory information. The vulnerability requires local access and specific user interaction (high complexity) but affects all applications linking libexif, creating a supply-chain exposure for image processing tools.

Integer overflow in libexif through 0.6.25 Nikon MakerNote handling allows local attackers on 32-bit systems to trigger crashes or read sensitive memory, requiring high attack complexity and no user interaction. This affects only 32-bit architectures due to the integer arithmetic involved; EPSS probability is low given the local-only attack vector and high complexity prerequisite, but patch availability is currently unconfirmed.

Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality that allows authenticated users to crash the application server or severely degrade performance by uploading a specially crafted ZIP bomb file. The vulnerability affects recipe management and meal planning features accessible to authenticated users and has been patched in version 2.6.5.

Authenticated teachers in Chamilo LMS can delete arbitrary student grades platform-wide through Insecure Direct Object Reference in gradebook result views. By manipulating delete_mark or resultdelete GET parameters, attackers bypass course-scope and ownership controls, enabling unauthorized grade deletion across all courses. Versions prior to 1.11.38 and 2.0.0-RC.3 lack server-side validation. No public exploit identified at time of analysis. CVSS 7.1 (High) reflects authenticated access requirement with high integrity impact and low availability impact.

Request body size limit bypass in SvelteKit adapter-node allows unauthenticated attackers to submit oversized payloads, causing denial of service through resource exhaustion. Affects SvelteKit versions prior to 2.57.1 running adapter-node. Exploitation requires specific timing conditions (CVSS AT:P). Platform-level and WAF body size limits remain effective. No public exploit identified at time of analysis. Vulnerability exploits CWE-770 resource allocation flaw where BODY_SIZE_LIMIT enforcement fails under race conditions or specific request patterns.

Vikunja's file import endpoint bypasses configured maximum file size limits by trusting an attacker-controlled Size field in import metadata rather than validating actual decompressed file content. Authenticated users can upload small compressed zip files (e.g., ~25KB) containing files up to 25MB or larger, exhausting server storage and causing denial of service across all users. The vulnerability affects Vikunja v2.2.2 and earlier versions; a vendor-released patch is available in v2.3.0.

NASM up to version 3.02rc5 contains a heap use-after-free vulnerability in response file (-@) processing that allows remote attackers without authentication to cause data corruption or denial of service. The vulnerability arises from a dangling pointer stored in the global depend_file variable that is dereferenced after the response-file buffer has been freed. A proof-of-concept exploit exists, and CISA's SSVC framework rates this as automatable with partial technical impact, indicating moderate real-world risk despite the relatively modest CVSS score of 6.5.

Heap buffer overflow in Netwide Assembler (NASM) 3.02rc5 obj_directive() function enables arbitrary code execution and denial of service when processing maliciously crafted .asm files. Missing bounds validation allows attackers to corrupt heap memory through specially constructed assembly source files. Publicly available exploit code exists. Impacts NASM users assembling untrusted input files, particularly automated build systems and development environments processing external assembly code.

Improper synchronization of the userTokens map in Canonical Juju API server (versions 4.0.5, 3.6.20, and 2.9.56) enables authenticated users to trigger denial of service or reuse single-use discharge tokens due to a race condition. The vulnerability requires low privilege authentication and partial attacker timing control but allows complete availability impact to the server. EPSS score of 6.1 reflects moderate real-world exploitation risk, though no public exploit code or active exploitation has been confirmed.

Out-of-memory denial of service in Apache ActiveMQ allows unauthenticated remote attackers to exhaust broker memory via rapid TLSv1.3 KeyUpdate requests. Affects ActiveMQ Client, Broker, and All distributions versions <5.19.4 and 6.0.0-6.2.3 when NIO SSL transports are used. Vulnerability arises from improper handling of TLSv1.3 handshake KeyUpdate messages, enabling clients to trigger unbounded memory allocation in the SSL engine. No public exploit identified at time of analysis. CVSS 7.5 (AV:N/AC:L/PR:N) indicates network-accessible, low-complexity attack requiring no authentication.

Authenticated arbitrary file overwrite in Perfmatters WordPress plugin ≤2.5.9 allows low-privileged attackers (Subscriber-level and above) to corrupt critical server files via path traversal. The PMCS::action_handler() method processes bulk activate/deactivate actions without authorization checks or nonce verification, passing unsanitized $_GET['snippets'][] values through Snippet::activate()/deactivate() to file_put_contents(). Attackers can overwrite files like .htaccess or index.php with fixed PHP docblock content, causing denial of service. Exploitation requires authenticated access with minimal privileges. No public exploit identified at time of analysis.

owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.

Regular expression denial of service (ReDoS) in jsVideoUrlParser library version 0.5.1 and earlier allows remote attackers to cause application availability loss by supplying a malicious timestamp argument to the getTime function in lib/util.js. The vulnerability exhibits inefficient regular expression complexity that can be triggered without authentication or user interaction. Publicly available exploit code exists, though the maintainer has not yet responded to early notification of the issue.

BGP session reset vulnerability in Juniper Networks Junos OS 25.2 and Junos OS Evolved 25.2-EVO allows adjacent unauthenticated attackers to trigger Denial of Service by sending malformed BGP packets within established sessions. Affects both eBGP and iBGP implementations across IPv4 and IPv6. Repeated exploitation enables sustained service disruption. Vulnerability confirmed actively exploited (CISA KEV). No public exploit identified at time of analysis. Adjacent network access required; attacker must be on same network segment as BGP peering.

Denial of service in Juniper Networks Junos OS on SRX Series allows unauthenticated remote attackers to crash srxpfe process via malformed ICMPv6 packets during NAT64 translation. Repeated exploitation sustains DoS by forcing continuous process restarts. Affects wide range of Junos OS versions from 21.2 through 25.2 on SRX hardware. Vulnerability limited to ICMPv6 traffic; IPv4 and standard IPv6 cannot trigger. No public exploit identified at time of analysis.

Denial of service in Juniper Networks Junos OS chassis control daemon (chassisd) on SRX1500, SRX4100, SRX4200, and SRX4600 allows local attackers with low privileges to crash the daemon via a specific 'show chassis' CLI command, causing complete traffic disruption until modules restart. The vulnerability affects Junos OS versions 23.2 before 23.2R2-S6, 23.4 before 23.4R2-S7, 24.2 before 24.2R2-S2, 24.4 before 24.4R2, and 25.2 before 25.2R1-S1 or 25.2R2. No public exploit code or active exploitation has been identified at time of analysis.

Complete persistent denial of service in Juniper Networks Junos OS Evolved on PTX Series routers allows authenticated, low-privilege network attackers to crash the evo-aftmand service with no automatic recovery. The vulnerability triggers when PCEP-provisioned colored SRTE policy tunnels with 32-bit ASN values (greater than 65,535) in the Originator ASN field are monitored via gRPC, causing permanent forwarding plane failure until manual system restart. Affects multiple versions through 25.2 release train. No public exploit identified at time of analysis.

Packet buffer allocation failure in Juniper EX4000 and QFX5000 Series switches allows adjacent unauthenticated attackers to cause persistent Denial of Service requiring manual device restart. Attack vector requires specific configuration: device configured as service-provider edge with L2PT enabled on UNI and VSTP enabled on NNI in VXLAN scenarios. Receiving VSTP BPDUs on UNI triggers buffer exhaustion, halting all traffic forwarding. Affects Junos OS 24.4 through 24.4R1, 25.2 through 25.2R1. No public exploit identified at time of analysis.

Remote denial-of-service in Juniper Networks Junos OS (SRX/MX Series) allows unauthenticated attackers to crash IPsec daemons via malformed ISAKMP packets. Exploiting the improper input validation (CWE-1286) in kmd/iked IPsec library causes process restart, preventing new VPN security association establishment. Repeated attacks create sustained inability to establish VPN connections, severely degrading network connectivity for affected enterprise firewalls and routing platforms. No public exploit identified at time of analysis.

Memory exhaustion in Juniper Networks Junos OS BroadBand Edge subscriber management daemon (bbe-smgd) on MX Series allows adjacent unauthenticated attackers to trigger persistent denial of service by sending authentication packets that do not match configured packet-type options. Each mismatched packet leaks memory, eventually consuming all available daemon heap memory and preventing new subscriber logins. Authentication packet-type configuration must be active for exploitation. No public exploit identified at time of analysis.

Memory leak in Juniper Networks Junos OS jdhcpd daemon enables adjacent unauthenticated attackers to crash DHCP services on MX Series routers. Each DHCPv6 subscriber logout in PPPoE or VLAN configurations with active/bulk lease query leaks memory, eventually exhausting resources and triggering jdhcpd crash. Service remains unavailable until process restart completes. Affects all Junos OS versions before 22.4R3-S1, 23.2 versions before 23.2R2, and 23.4 versions before 23.4R2. No public exploit identified at time of analysis.

Memory leak in Juniper Networks l2ald daemon allows adjacent attackers to crash Layer 2 services on EVPN-MPLS networks. Affects Junos OS and Junos OS Evolved across multiple versions. Unauthenticated attackers on the same network segment can trigger resource exhaustion by causing ESI route churn from multi-homed Provider Edge devices, forcing l2ald process crash and restart. No public exploit identified at time of analysis, but exploitation requires only network adjacency without authentication.

Denial of service in Juniper Junos OS chassis control daemon (chassisd) on SRX1600, SRX2300, and SRX4300 devices allows local attackers with low privileges to trigger a complete crash via a specific 'show chassis' CLI command, causing temporary traffic disruption until module recovery. Junos OS 24.4 versions before 24.4R1-S3 and 24.4R2 are affected; no public exploit code identified at time of analysis.

OpenClaw before version 2026.3.25 processes JSON webhook request bodies before validating cryptographic signatures, allowing unauthenticated remote attackers to trigger denial of service by submitting malicious webhook payloads that force computationally expensive JSON parsing operations. The vulnerability exploits a logic-ordering defect where signature validation occurs after resource-intensive parsing, enabling attackers to exhaust server resources without valid credentials. No public exploit code has been identified at the time of analysis, though the attack requires only network access and is trivially exploitable.

OpenClaw before 2026.3.22 processes cryptographic operations on inbound Nostr direct messages prior to validating sender identity and pairing status, allowing unauthenticated remote attackers to trigger denial of service through resource exhaustion by sending crafted messages. CVSS 6.9 reflects moderate impact with low integrity and availability degradation; no public exploit code or active exploitation has been confirmed.

Unauthenticated resource exhaustion in OpenClaw before 2026.3.22 allows remote attackers to cause denial of service by sending large or malicious webhook requests to the voice call handler, which buffers request bodies before validating provider signatures. The vulnerability requires only network access (AV:N, PR:N) and can be exploited with low complexity, making it a practical attack vector for disrupting service availability.

Unauthenticated buffer overflow in Juniper Networks Junos OS Evolved advanced forwarding toolkit (evo-aftmand/evo-pfemand) permits adjacent attackers to crash PTX Series and QFX5000 Series devices via crafted multicast packets. Exploitation triggers line card or device restart, sustaining denial of service under continuous attack. Affects multiple Junos OS Evolved release branches before patched versions. No public exploit identified at time of analysis. Attack requires adjacent network access but no authentication, making exploitation feasible in shared network segments.

Unauthenticated resource exhaustion in PraisonAI versions prior to 4.5.128 allows remote attackers to drain OpenAI API credits and exhaust server resources. The /media-stream WebSocket endpoint in the call module accepts connections without authentication or Twilio signature validation, enabling unlimited concurrent sessions to OpenAI's Realtime API using the server's credentials. No public exploit identified at time of analysis. Affects PraisonAI deployments exposing the call module's WebSocket interface.

Memory exhaustion denial of service in PraisonAI's WSGI-based recipe registry server (server.py) affects versions prior to 4.5.128. The vulnerability allows unauthenticated local processes to send arbitrarily large POST requests by spoofing the Content-Length header, causing the server to allocate unbounded memory and crash. Authentication is disabled by default, eliminating any access control barrier. The Starlette-based alternative server (serve.py) includes a 10MB request size limit, but the WSGI implementation lacks equivalent protection. Vendor-released patch: version 4.5.128 or later.

Wasmtime versions 25.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 contain a compiler type-checking bug in the Winch backend where the table.grow operator returns incorrectly typed 64-bit values instead of 32-bit values for 32-bit tables, enabling read/write access to 16 bytes of host memory preceding linear memory and resulting in denial of service when Wasmtime detects the unauthorized access. The vulnerability requires explicit selection of the non-default Winch compiler backend and either disabled guard pages or modified memory layout to achieve information disclosure; default Wasmtime configurations using the Cranelift compiler and standard guard page placement are unaffected. No public exploit code or active exploitation has been identified, though the attack vector is remote and requires low-privilege authenticated access.

NULL pointer dereference in GnuTLS TLS handshake processing enables unauthenticated remote attackers to crash servers via malformed ClientHello messages containing invalid Pre-Shared Key binder values. Vulnerability affects Red Hat Enterprise Linux 6-10, OpenShift Container Platform 4, and Red Hat Hardened Images. Attack requires network access only with low complexity and no user interaction. CVSS 7.5 (High) reflects severe availability impact. No public exploit identified at time of analysis.

Out-of-bounds read in osslsigncode versions 2.12 and earlier allows local attackers to crash the application via crafted PE files with malicious section headers during page-hash computation. The vulnerability exists in the pe_page_hash_calc() function, which fails to validate that section headers' PointerToRawData and SizeOfRawData values reference valid file regions. An attacker can trigger the flaw by providing a malicious PE file for signing with page hashing enabled (-ph flag) or by providing an already-signed malicious PE file for verification, where verification does not require the -ph flag. CVSS 5.5 with high availability impact; no public exploit identified at time of analysis.

Osslsigncode 2.12 and earlier contains an integer underflow in PE page-hash computation that allows local attackers to trigger an out-of-bounds heap read and crash the process via a specially crafted PE file with SizeOfHeaders larger than SectionAlignment. The vulnerability is triggered either when signing a malicious PE file with page hashing enabled (-ph flag) or when verifying an already-signed PE file containing page hashes, making verification particularly dangerous since no special flags are required. This is a denial-of-service vulnerability with no public exploit code identified at time of analysis, though the root cause (missing validation in integer subtraction) is straightforward to exploit.

Ubuntu Subiquity 24.04.4 leaks sensitive user credentials in crash report logs submitted to Launchpad during installation failures, potentially exposing plaintext Wi-Fi passwords and other credentials to unauthorized third parties. The vulnerability affects multiple Ubuntu versions (24.04.4, 25.04, and 25.10) and requires user interaction (submission of a crash report) but carries low real-world exploitation risk due to a CVSS score of 2.7 and absence of active exploitation signals. No public exploit code is known; vendor-released patches are available.

ubuntu-desktop-provision version 24.04.4 leaks user password hashes in crash report logs submitted to Launchpad during installation failures. An unauthenticated remote attacker can obtain sensitive credentials if a user opts to report the installation failure, requiring user interaction to trigger the vulnerability but resulting in direct exposure of authentication material. Patch available from Canonical via GitHub pull requests; EPSS and KEV status not actively exploited at time of analysis.

Denial of service in fast-jwt 5.0.0 through 6.2.0 allows authenticated remote attackers with user interaction to cause significant CPU consumption via crafted JWT tokens that trigger catastrophic backtracking in regular expression evaluation when the allowedAud verification option is configured with a regex pattern. The vulnerability exploits attacker-controlled aud claims evaluated against user-supplied regexes, resulting in ReDoS (regular expression denial of service). Vendor-released patch available in version 6.2.1.

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.

A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.

A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on the attacker supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large `Content-Length` value can trigger excessive memory allocation and server termination, even without sending a request body.

Mattermost Plugins versions 2.1.3.0 and earlier allow remote attackers without authentication to cause denial of service through memory exhaustion by sending oversized JSON payloads to the /changes webhook endpoint. The vulnerability stems from a lack of request body size validation, enabling attackers to exhaust server memory and crash the service. CVSS is 3.7 (low severity) with low exploitability complexity, and no public exploit or active exploitation has been confirmed.

Mattermost Plugins versions 2.3.1 and earlier allow unauthenticated remote attackers to trigger denial of service by sending oversized JSON payloads to the /lifecycle webhook endpoint, causing memory exhaustion due to missing request body size validation. CVSS 3.7 reflects low severity despite network accessibility; EPSS and active exploitation status not independently confirmed from available data.

Denial of service in GitLab EE 18.2-18.10 allows authenticated users to crash the GitLab instance through improper input validation in GraphQL queries. GitLab EE versions 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 are affected. An authenticated attacker with any valid GitLab account can trigger the vulnerability by submitting a malformed GraphQL query, causing the instance to become unavailable. No public exploit code has been identified at the time of analysis, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Denial of service in GitLab CE/EE versions 12.10 through 18.8.8, 18.9 through 18.9.4, and 18.10 through 18.10.2 allows unauthenticated remote attackers to crash GitLab services via malformed JSON payloads. Improper input validation (CWE-1284) enables resource exhaustion attacks without authentication. CVSS 7.5 (High) reflects network-accessible attack with low complexity requiring no user interaction. No public exploit identified at time of analysis. EPSS data unavailable; not listed in CISA KEV.

Denial of service in GitLab CE/EE versions 13.0 through 18.10.2 allows unauthenticated remote attackers to exhaust server resources via repeated GraphQL queries. Affects all installations from version 13.0 before patched releases 18.8.9, 18.9.5, and 18.10.3. Attackers can degrade or halt GitLab service availability without authentication, impacting development workflows and CI/CD pipelines. No public exploit identified at time of analysis.

Unbounded zlib decompression in dfir-unfurl versions through 20250810 enables unauthenticated remote attackers to exhaust server memory via crafted compressed payloads submitted to the /json/visjs endpoint. Attackers can submit highly compressed data that expands to gigabytes when decompressed, crashing the service through resource exhaustion. The vulnerability affects the parse_compressed.py module and requires no authentication. No public exploit identified at time of analysis.

Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)

Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Use after free in Navigation in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Use-after-free vulnerability in Google Chrome's PrivateAI component (versions prior to 147.0.7727.55) enables sandbox escape when remote attackers socially engineer victims into performing specific UI interactions with malicious HTML pages. Exploitation requires user engagement with attacker-controlled content but no authentication. CVSS 9.6 critical severity reflects potential for complete compromise of confidentiality, integrity, and availability with scope change indicating sandbox boundary violation. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.03%).

Use after free in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Remote code execution in Google Chrome Media component (versions prior to 147.0.7727.55) enables unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages. Exploitation requires user interaction to visit a malicious site. The use-after-free memory corruption vulnerability achieves high confidentiality, integrity, and availability impact within the sandboxed environment. No public exploit identified at time of analysis.

Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Kamailio versions prior to 6.0.5 and 5.8.7 contain an out-of-bounds read in the auth module that allows remote attackers with high privileges to trigger a denial of service via a specially crafted SIP packet when successful user authentication without a database backend is followed by additional identity checks. The vulnerability requires high privilege level and high attack complexity but can reliably crash the Kamailio process, impacting SIP service availability.

Out-of-bounds memory access in Kamailio SIP server versions before 5.8.8, 6.0.6, and 6.1.1 enables unauthenticated remote attackers to crash server processes via malformed TCP packets. Affects deployments with TCP or TLS listeners enabled. Exploits network-accessible SIP signaling infrastructure without authentication or user interaction, resulting in complete service unavailability. No public exploit identified at time of analysis.

Denial of service in React Server Components (react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack versions 19.0.0-19.0.4, 19.1.0-19.1.5, 19.2.0-19.2.4) allows unauthenticated remote attackers to cause excessive CPU consumption lasting up to one minute via specially crafted HTTP requests to Server Function endpoints. The malicious payload triggers resource exhaustion without requiring authentication or user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS unavailable).

Memory exhaustion in MinIO S3 Select (RELEASE.2018-08-18T03-49-57Z through RELEASE.2025-12-20T04-58-37Z) allows authenticated users with s3:PutObject and s3:GetObject permissions to crash the server by uploading CSV files lacking newline characters. The vulnerable CSV reader buffers entire lines into memory without size limits, enabling attackers to trigger out-of-memory conditions. A ~2 MB compressed CSV can decompress to gigabytes without newlines, causing denial of service. No public exploit identified at time of analysis.

Path traversal in AGiXT Python package (versions ≤1.9.1) allows authenticated attackers to read, write, or delete arbitrary files on the host server. The essential_abilities extension's safe_join() function fails to validate that resolved paths remain within the agent workspace directory, enabling directory traversal sequences (e.g., ../../etc/passwd) to bypass intended file access restrictions. Exploitation requires low-privilege authentication (valid API key) but no user interaction. Public exploit code exists demonstrating /etc/passwd disclosure via the read_file command endpoint.

Malicious D-Bus peers can execute three distinct attacks against applications using Tmds.DBus or Tmds.DBus.Protocol .NET libraries: signal spoofing via well-known name impersonation (integrity compromise), file descriptor exhaustion causing resource depletion or fd spillover, and application crashes through malformed message bodies triggering unhandled exceptions on SynchronizationContext. Attack requires local access with low-privileged D-Bus peer presence (PR:L). Vendor-released patches available in versions 0.92.0 (both libraries) and 0.21.3 (Protocol only). No public exploit identified at time of analysis.

OpenTelemetry Go OTLP HTTP exporters allow memory exhaustion when sending telemetry to attacker-controlled or network-intercepted collector endpoints. The trace, metric, and log exporters read unbounded HTTP response bodies into in-memory buffers without size limits, enabling an attacker to force large transient heap allocations and crash the instrumented process via out-of-memory conditions. Attack requires network control of the collector endpoint or man-in-the-middle position (CVSS 5.3, CVSS:3.1/AV:A/AC:H). Upstream fix available (PR #8108); no active exploitation confirmed.

GraphQL query complexity abuse in Saleor e-commerce platform enables unauthenticated denial-of-service through alias-based or chained mutation requests. Attackers craft single API calls containing excessive GraphQL operations (mutations/queries) via aliasing or chaining, exhausting server resources and disrupting service availability. Affects Saleor versions 2.0.0 through 3.22.x, with no authentication required for exploitation. Low observed exploitation activity (EPSS <1%). No public exploit identified at time of analysis.

Denial of service affects Saleor e-commerce platform versions 2.0.0 through 3.22.x via unlimited GraphQL query batching. Unauthenticated remote attackers can submit a single HTTP request containing an unbounded array of GraphQL operations, bypassing per-query complexity controls to exhaust server resources and render the platform unavailable. Vendor-released patches are available across all affected major versions (3.20.118, 3.21.54, 3.22.47, 3.23.0a3). No public exploit identified at time of analysis, though the attack vector is straightforward (CVSS AV:N/AC:L/PR:N).

Denial of service in Kibana's automatic import feature allows authenticated users to trigger uncontrolled resource consumption by submitting specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, backend services become unstable, resulting in service disruption across all users. CVSS 6.5 (medium severity) reflects the authenticated attack requirement and high availability impact without confidentiality or integrity compromise.

The replace filter in LiquidJS (Node.js npm package) fails to correctly account for memory usage when memoryLimit is enabled, allowing remote attackers to bypass DoS protections with approximately 2,500x memory amplification by crafting templates where the replace operation produces quadratically larger output than the charged memory cost. Deployments with memoryLimit explicitly configured to protect against untrusted template input can suffer out-of-memory crashes; patch available in v10.25.3.

Denial of service in Axios HTTP/2 client before version 1.13.2 allows unauthenticated remote attackers to crash Node.js applications through malicious HTTP/2 server responses that trigger state corruption during concurrent session closures. The vulnerability exploits a control flow error in session cleanup logic with high attack complexity, making real-world exploitation require specific server-side conditions but posing significant risk to applications relying on HTTP/2.

In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &iov, ... }; *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values. Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found. Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used. Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety. [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3

Denial of service in Go's crypto/x509 chain builder allows remote attackers to exhaust server resources by submitting a large number of intermediate certificates during TLS handshake or direct certificate verification. Affects crypto/x509 versions prior to 1.25.9 and 1.26.0-1.26.1. No public exploit identified at time of analysis, though SSVC assessment indicates the attack is automatable. EPSS exploitation probability is minimal (0.01%), suggesting low observed attacker interest despite the network-accessible attack surface and lack of authentication requirements.

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Buffer overflow in D-Link DI-8300 router firmware v16.07.26A1 enables unauthenticated remote attackers to trigger denial of service conditions via malformed input to the fn parameter in tgfile_htm function. Network-accessible attack vector requires no privileges or user interaction. CVSS 7.5 (High) reflects availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).

Buffer overflow in D-Link DI-8300 router firmware v16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions through malformed fx parameter input to the jingx_asp function. Network-accessible exploitation requires no authentication or user interaction (CVSS AV:N/PR:N/UI:N). Impact limited to availability disruption; no data confidentiality or integrity compromise. No public exploit identified at time of analysis. EPSS 0.02% indicates low observed exploitation activity.

Buffer overflow in D-Link enterprise VPN router series (DI-8003, DI-8500, DI-8003G, DI-8200G, DI-8200, DI-8400, DI-8004w, DI-8100, DI-8100G) firmware versions 16.07.26A1 and 17.12.20A1/17.12.21A1 allows unauthenticated remote attackers to trigger denial of service via crafted HTTP requests exploiting rd_en, rd_auth, rd_acct, http_hadmin, http_hadminpwd, rd_key, and rd_ip parameters in radius_asp function. Attack requires no user interaction or authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis.

Buffer overflow in D-Link DI-8300 router firmware v16.07.26A1 ip_position_asp function enables unauthenticated remote attackers to trigger denial of service through crafted input to the ip parameter. Network-accessible vulnerability requires no user interaction. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects unauthenticated network attack vector with complete availability impact.

NULL pointer dereference in OpenSSL CMS EnvelopedData processing enables unauthenticated remote denial of service. Affects OpenSSL 1.0.2 through 3.6.x when processing attacker-controlled CMS messages with KeyTransportRecipientInfo using RSA-OAEP encryption. Missing optional parameters field in algorithm identifier triggers crash before authentication occurs. Applications calling CMS_decrypt() on untrusted input (S/MIME, CMS-based protocols) vulnerable. FIPS modules unaffected. No public exploit identified at time of analysis. EPSS indicates low observed exploitation activity.

Null pointer dereference in OpenSSL 1.0.2 through 3.6 CMS EnvelopedData processing crashes applications before authentication when KeyAgreeRecipientInfo messages lack optional parameters field. Unauthenticated remote attackers can trigger denial of service against S/MIME processors and CMS-based protocol handlers calling CMS_decrypt() on untrusted input. FIPS modules unaffected. Vendor-released patches available for all affected branches (1.0.2zp, 1.1.1zg, 3.0.20, 3.3.7, 3.4.5, 3.5.6, 3.6.2). Low observed exploitation activity; no public exploit identified at time of analysis.

NULL pointer dereference in OpenSSL 1.0.2 through 3.6.x delta CRL processing enables remote denial-of-service attacks against applications performing X.509 certificate verification. Exploitation requires X509_V_FLAG_USE_DELTAS flag enabled, certificates with freshestCRL extension or base CRL with EXFLAG_FRESHEST flag, and attacker-supplied malformed delta CRL missing required CRL Number extension. Unauthenticated network-accessible attack with low complexity causes application crash. Impact limited to availability; memory disclosure and code execution ruled out by vendor. FIPS modules unaffected.

Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.

Out-of-bounds read in OpenSSL 3.6.0-3.6.1 allows denial of service when AES-CFB128 encryption or decryption processes partial cipher blocks on x86-64 systems with AVX-512 and VAES support. Vulnerability triggers when input buffer ends at a memory page boundary with subsequent unmapped page, causing crashes. Exploitation requires unauthenticated network access but demands specific architectural conditions (AVX-512/VAES) and partial block handling. No public exploit identified at time of analysis. EPSS percentile 5% indicates low observed exploitation activity.

Infinite loop vulnerability in Wikimedia MediaWiki GrowthExperiments Extension (versions 1.45.2, 1.44.4, 1.43.7) allows unauthenticated remote attackers to trigger a denial of service condition by exploiting a Time-of-Check and Time-of-Use (TOCTOU) race condition that causes unreachable loop exit logic. The vulnerability has a CVSS score of 6.9 with low confidentiality, integrity, and availability impact across all scopes. No public exploit code or active exploitation has been confirmed at time of analysis.

Aardvark-dns enters an unrecoverable infinite error loop consuming 100% CPU when processing a truncated TCP DNS query followed by a connection reset, causing denial of service to DNS resolution services. The vulnerability affects the aardvark-dns container DNS service and requires local network access to trigger. No public exploit code or active exploitation has been identified, but the trivial attack vector (malformed DNS packets) and high CPU impact make this a practical denial-of-service risk for containerized deployments.

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger severe CPU and memory amplification via crafted HTTP baggage headers. The vulnerability allows unauthenticated attackers to send multiple baggage header lines that bypass the 8192-byte per-value parse limit by triggering repeated parsing operations - achieving 77x memory amplification (10.3MB vs 133KB per request) in vendor-provided proof-of-concept testing. Vendor-released patch available in v1.41.0. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code exists (vendor-provided PoC demonstrating 77x amplification).

Denial-of-service via unthrottled resource allocation in the Wikimedia MediaWiki ReportIncident Extension allows authenticated remote attackers to trigger HTTP DoS by exhausting server resources without rate limiting. Affected versions include ReportIncident 1.43.7, 1.44.4, and 1.45.2. No public exploit code or active exploitation has been confirmed at time of analysis.

Local denial of service and potential remote code execution in OpenPrinting CUPS 2.4.16 and prior occurs when the scheduler (cupsd) deletes temporary printers without expiring associated subscriptions, leaving dangling pointers in memory that are subsequently dereferenced. An unauthenticated local attacker can crash the cupsd daemon or, with heap grooming techniques, achieve arbitrary code execution on systems running affected CUPS versions.

Denial of service in OpenPrinting CUPS 2.4.16 and prior allows unprivileged local users to crash the cupsd root process via integer underflow in _ppdCreateFromIPP() by supplying a negative job-password-supported IPP attribute, which wraps to a large size_t value and triggers a stack buffer overflow in memset(). When combined with systemd's automatic restart mechanism, an attacker can sustain repeated crashes without requiring elevated privileges or user interaction.

Remote unauthenticated denial-of-service in SoftEther VPN Developer Edition 5.2.5188 and earlier allows attackers to crash the vpnserver process and terminate all active VPN sessions by sending a single malformed EAP-TLS packet over raw L2TP (UDP port 1701). This pre-authentication vulnerability requires no privileges or user interaction (CVSS vector AV:N/AC:L/PR:N/UI:N), enabling trivial service disruption. No public exploit identified at time of analysis, though the attack mechanism is well-documented in vendor advisory GHSA-q5g3-qhc6-pr3h.

Authenticated denial of service via CQL in Apache Cassandra 4.0 through 5.0 allows authenticated users to elevate query latencies by repeatedly changing passwords, disrupting service availability for legitimate users. The vulnerability affects Cassandra 4.0.0-4.0.19, 4.1.0-4.1.10, and 5.0.0-5.0.6. Vendor-released patches are available (4.0.20, 4.1.11, 5.0.7). With an EPSS score of 0.02% (5th percentile), real-world exploitation risk is minimal despite the moderate CVSS score of 6.5, reflecting the requirement for prior authentication and the low likelihood of widespread abuse.