Denial of Service
Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions.
How It Works
Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions. Attackers exploit asymmetry: minimal attacker effort produces disproportionate resource consumption on the target. Application-level attacks use specially crafted inputs that trigger expensive operations—a regex engine processing malicious patterns can backtrack exponentially, or XML parsers recursively expand entities until memory exhausts. Network-level attacks flood targets with connection requests or amplify traffic through reflection, but application vulnerabilities often provide the most efficient attack surface.
The attack typically begins with reconnaissance to identify resource-intensive operations or unprotected endpoints. For algorithmic complexity attacks, adversaries craft inputs hitting worst-case performance—hash collision inputs filling hash tables with collisions, deeply nested JSON triggering recursive parsing, or pathological regex patterns like (a+)+b against strings of repeated 'a' characters. Resource exhaustion attacks open thousands of connections, upload massive files to unbounded storage, or trigger memory leaks through repeated operations. Crash-based attacks target error handling gaps: null pointer dereferences, unhandled exceptions in parsers, or assertion failures that terminate processes.
Impact
- Service unavailability preventing legitimate users from accessing applications during attack duration
- Revenue loss from downtime in e-commerce, SaaS platforms, or transaction processing systems
- Cascading failures as resource exhaustion spreads to dependent services or database connections pool out
- SLA violations triggering financial penalties and damaging customer trust
- Security team distraction providing cover for data exfiltration or intrusion attempts running concurrently
Real-World Examples
CVE-2018-1000544 in Ruby's WEBrick server allowed ReDoS through malicious HTTP headers containing specially crafted patterns that caused the regex engine to backtrack exponentially, freezing request processing threads. A single attacker could saturate all available workers.
Cloudflare experienced a global outage in 2019 when a single WAF rule containing an unoptimized regex hit pathological cases on legitimate traffic spikes. The .*(?:.*=.*)* pattern exhibited catastrophic backtracking, consuming CPU cycles across their edge network until the rule was disabled.
CVE-2013-1664 demonstrated XML bomb vulnerabilities in Python's XML libraries. Attackers uploaded XML documents with nested entity definitions-each entity expanding to ten copies of the previous level. A 1KB upload could expand to gigabytes in memory during parsing, crashing applications instantly.
Mitigation
- Strict input validation enforcing size limits, complexity bounds, and nesting depth restrictions before processing
- Request rate limiting per IP address, API key, or user session with exponential backoff
- Timeout enforcement terminating operations exceeding reasonable execution windows (typically 1-5 seconds)
- Resource quotas limiting memory allocation, CPU time, and connection counts per request or tenant
- Regex complexity analysis using linear-time algorithms or sanitizing patterns to eliminate backtracking
- Circuit breakers automatically rejecting requests when error rates or latency thresholds indicate degradation
- Load balancing and autoscaling distributing traffic across instances with automatic capacity expansion
Recent CVEs (36503)
Unauthenticated remote denial of service in NLTK's WordNet Browser HTTP server (nltk.app.wordnet_app) through version 3.9.3 allows any network-reachable attacker to terminate the server process by sending a single GET request to /SHUTDOWN%20THE%20SERVER. The server binds to all interfaces by default and invokes os._exit(0) on receipt, with no public exploit identified at time of analysis but exploitation is trivial given the documented endpoint.
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.transfer() that allows a local app to trigger memory exhaustion of the system package installer. The flaw, addressed in the Android Security Bulletin for Android 17, can be triggered without user interaction and without elevated privileges, but its impact is confined to denial of service rather than code execution. No public exploit identified at time of analysis.
Persistent denial of service in Google Android allows local attackers to exhaust device resources in multiple code paths, rendering functionality unavailable until manual intervention. The flaw requires no privileges and no user interaction, and is addressed in the Android Security Bulletin for android-17. No public exploit identified at time of analysis and no EPSS or KEV signal is provided.
Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Use after free in Tab Strip in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in Downloads in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
Use after free in File Input in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Heap corruption in Google Chrome's Digital Credentials component (versions prior to 149.0.7827.155) allows remote attackers to trigger a use-after-free condition by enticing a user to visit a crafted HTML page, potentially leading to arbitrary code execution within the renderer process. Chromium rates this issue as Critical severity, and Google has released a patched stable-channel build; no public exploit identified at time of analysis and EPSS sits at 0.31% (23rd percentile), indicating low predicted near-term exploitation pressure despite the high CVSS of 8.8.
Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Denial of service in libtiff v4.7.1 and prior allows processing of a crafted TIFF file containing an abnormally large SamplesPerPixel tag value to crash or hang the affected process. Any application or service that passes attacker-controlled TIFF files through libtiff is potentially vulnerable, including web-based image processors, document converters, and media ingestion pipelines. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at the time of this analysis.
Out-of-bounds write in snes9x 1.63's UPS patch file parser allows a crafted .ups ROM patch file to trigger memory corruption and a denial-of-service crash. The flaw resides in the ReadUPSPatch loop in memmap.cpp, where the loop iterator `relative` was not bounded against CMemory::MAX_ROM_SIZE, permitting writes past the end of the allocated ROM buffer. Impact is limited to availability (crash) per the CVSS vector, though the underlying CWE-787 out-of-bounds write class carries broader memory-safety implications. No public exploit identified at time of analysis, and CVSS rates this Low (2.9) due to local attack vector and high complexity.
Authenticated path traversal in Gogs self-hosted Git service (versions <= 0.13.4) allows any user with repository edit permissions to overwrite arbitrary files on the host filesystem via the diff preview endpoint, resulting in denial of service. By abusing the `git diff --output=<file>` flag through the `POST /:user/:repo/_preview/:branch/:path_to_file` handler and bypassing the standard library `path.Clean` filter, an attacker can corrupt critical files such as `gogs.db` or `app.ini`. Publicly available exploit code exists in the form of a detailed researcher write-up with payload examples, though no CISA KEV listing or active exploitation has been reported.
Information disclosure and partial denial of service in Oracle E-Business Suite Enterprise Asset Management (versions 12.2.3 through 12.2.15) allows a low-privileged authenticated attacker with HTTP network access to read all data accessible to the Enterprise Asset Management module and degrade its availability. Oracle rates the issue 7.1 CVSS 3.1 and describes it as easily exploitable. No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.
Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker to read, modify, or delete all framework-accessible data and partially disrupt service via HTTP. Because CVSS scope is Changed, exploitation impacts additional Oracle E-Business Suite products beyond the Framework itself, driving the 9.9 base score. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker over HTTP to gain unauthorized read, modify, and delete access to all framework-accessible data, with scope change extending impact to other Oracle E-Business Suite products. The CVSS 9.9 score reflects low attack complexity, low privileges required, and the scope change that crosses security boundaries into adjacent products. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authenticated, high-privileged attacker over HTTPS to modify or destroy critical data, read a subset of data, and trigger a complete denial of service, with scope change extending impact to additional products. Oracle rates the issue CVSS 3.1 9.0 and there is no public exploit identified at time of analysis, but the scope-change behavior and broad impact warrant prompt patching during the next Oracle CPU window.
Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated network attackers to crash or hang the management console and to perform unauthorized modifications to a subset of accessible data via the Agent Next Gen component over HTTPS. Oracle rates the issue CVSS 8.2 and notes the flaw is easily exploitable; no public exploit identified at time of analysis, and it is not listed on the CISA KEV catalog.
Remote unauthenticated denial-of-service in Oracle MySQL Server and MySQL Cluster (8.0.x, 8.4.x, and 9.0.0-9.7.0) allows network attackers to trigger a hang or repeatable crash of the database via the Server Connection Handling component. Oracle rates the issue as easily exploitable over multiple protocols with no authentication or user interaction, producing a complete availability loss (CVSS 7.5, A:H only). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in Oracle MySQL Router 8.4.0-8.4.9 and 9.0.0-9.7.0 allows unauthenticated remote attackers to hang or repeatedly crash the routing service over TLS-enabled network connections, producing a complete DOS of the affected component. CVSS 3.1 scores this 7.5 with availability-only impact, and no public exploit identified at time of analysis. Because MySQL Router brokers application traffic to InnoDB Cluster/ReplicaSet backends, an outage cascades into downstream application unavailability even when the database servers themselves remain healthy.
Unauthenticated LDAP-based compromise of Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 allows remote attackers to create, delete, or modify critical directory data, read a subset of directory data, and trigger a partial denial of service. The flaw resides in the OUD Core component and was disclosed in Oracle's June 2026 Critical Patch Update with a CVSS 3.1 base score of 8.6; no public exploit identified at time of analysis and the issue is not in CISA KEV.
Remote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plugin component over HTTP, allowing attackers to alter or read subsets of OAM data and trigger partial denial of service. The flaw carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N) and is rated easily exploitable by Oracle. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Authenticated tampering and data exposure in Oracle Data Integrator 12.2.1.4.0 and 14.1.2.0.0 (Market Place component) allows a low-privileged attacker with HTTP network access to read, modify, or delete all data accessible to the product and induce a partial denial of service. Oracle assigns a CVSS 3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/C:H/I:H/A:L), and no public exploit identified at time of analysis. The flaw is described by Oracle as easily exploitable, raising the priority for any externally reachable ODI deployment.
Remote denial of service in Android (Pixel) RTP stack arises from a missing null check in checkSsrcCollisionOnRcv within RtpSession.cpp, allowing unauthenticated attackers to crash the affected media component over the network. The flaw carries CVSS 7.5 with availability-only impact, and at the time of analysis there is no public exploit identified and the EPSS exploitation probability is very low (0.14%, 4th percentile).
In writeAocCommand of AocAudioCodec.cpp, there is a possible memory safety issue due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
In lwis_device_external_event_emit of lwis_event.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
In edgetpu_sync_fence_group_shutdown() of edgetpu-dmabuf.c, there is a possible elevation of privilege due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
In NrmmMsgCodec::DecodeUPUTransparentContext of cn_NrmmDecoder.cpp, there is a possible out-of-bounds read due to memory corruption. This could lead to remote denial of service causing a communication processor crash with no additional execution privileges needed. User interaction is not needed for exploitation.
In multiple functions of vpu_ioctl.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Denial of service in Pacemaker's CIB remote listener allows unauthenticated remote attackers to crash the cluster service by sending a specially crafted compressed message. The vulnerability is an integer overflow (CWE-190) triggered during pre-authentication message decompression, leading to memory corruption. No public exploit identified at time of analysis, but the pre-auth attack vector and high availability impact on cluster-management infrastructure make this a meaningful risk for exposed deployments.
Body Limit Middleware bypass in Hono (npm/hono < 4.12.25) allows unauthenticated remote clients to send payloads exceeding the configured size limit when the application is deployed on AWS Lambda. By understating the `Content-Length` request header, attackers exploit the Lambda adapter's trust of client-declared header values to slip oversized bodies - large JSON, multipart uploads, etc. - past the middleware check, forcing handlers to process payloads larger than intended and inflating per-request CPU and memory consumption. No public exploit has been identified at time of analysis; the issue is fixed in hono 4.12.25.
Processing crafted PDF outlines in pypdf versions prior to 6.13.0 triggers an infinite loop during writer merge operations, causing a denial of service. Applications that accept user-supplied PDFs and merge them using PdfWriter are affected - specifically any code path that calls merge() on a PDF whose /Outlines or /Parent hierarchy contains circular references. No public exploit has been identified at time of analysis and this is not listed in CISA KEV; a vendor-released patch is available as pypdf 6.13.0.
Infinite loop denial-of-service in pypdf allows an attacker to hang any Python application that processes a crafted PDF using layout-mode text extraction. The vulnerability arises because the `/Parent` hierarchy traversal in `_layout_mode_fonts()` lacked cycle detection, so a circular reference structure in a malicious PDF causes the parser to loop indefinitely. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified, but the attack surface is broad: any service accepting user-supplied PDFs and passing them to pypdf's layout-mode extraction is potentially affected.
Uncontrolled resource consumption in pypdf versions before 6.12.2 allows any attacker who can cause an application to call `extract_text()` on a crafted PDF to trigger unbounded memory growth, resulting in denial of service. The vulnerability arises specifically during form XObject traversal: a PDF containing a self-referencing XObject resource dictionary causes the extraction code to recurse infinitely without cycle detection. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.
Denial of service (and potential limited memory corruption) in the Zephyr RTOS IPv6 networking stack (versions 3.3.0 through 4.4.0) stems from a use-after-free in the IPv6 Neighbor Discovery send paths, where per-interface ICMP statistics are updated by reading from a network packet after the stack has already freed it. Any unauthenticated on-link node can trigger the Neighbor Advertisement path simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 and CONFIG_NET_STATISTICS_PER_INTERFACE enabled, causing a freed slab block to be dereferenced. There is no public exploit identified at time of analysis and EPSS is low (0.14%, 4th percentile); a vendor patch is available, and impact is largely limited to crashes/DoS with only theoretical limited memory corruption.
Use-after-free in Zephyr RTOS's ICMPv4 echo handler allows any unauthenticated remote host to trigger memory corruption or a crash by sending a standard ICMP ping to an affected device. The defect exists in all versions from v1.14 (2019) through v4.4.0, where `icmpv4_handle_echo_request()` reads from a freed `net_pkt` struct after transferring packet ownership to the TX path - violating a contract explicitly documented in `net_core.c`. No public exploit code exists and this CVE does not appear in CISA KEV, but the zero-privilege, network-reachable attack surface makes it a meaningful risk for internet-exposed embedded and IoT deployments running Zephyr with ICMP statistics enabled.
Use-after-free in Zephyr RTOS's ICMPv6 stack (v4.2.0-v4.4.0) allows an unauthenticated remote attacker to crash the networking stack and potentially corrupt memory by sending a standard ICMPv6 Echo Request or any IPv6 packet that elicits an ICMPv6 error response. Both `icmpv6_handle_echo_request()` and `net_icmpv6_send_error()` call `net_pkt_iface()` on a packet after transferring it to `net_try_send_data()`, which may synchronously or asynchronously free the packet's memory slab before the statistics update executes. When `CONFIG_NET_STATISTICS_PER_INTERFACE` is enabled, the stale interface pointer is written through (`iface->stats.icmp.sent++`), escalating the read UAF into an attacker-influenced memory write; no public exploit has been identified at time of analysis, but the trigger is a universally available IPv6 primitive.
Remotely triggerable denial of service in the Zephyr RTOS networking stack (versions 1.12.0 through 4.4.x) arises from a use-after-free in the IPv6 MLD code path, where mld_send() reads net_pkt_iface(pkt) after net_send_data() has already transferred packet ownership and the L2 driver freed it back to its memory slab. An unauthenticated attacker on the local link can elicit the vulnerable path by sending a crafted MLDv2 General Query, causing a NULL-pointer dereference crash or, in a narrow race, memory corruption via a stray statistics increment. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and the issue is not in CISA KEV; a vendor patch is available.
Use-after-free in Zephyr's IPv4 IGMP implementation (igmp_send(), subsys/net/ip/igmp.c) allows a remote unauthenticated attacker to trigger undefined behavior and sporadic denial-of-service crashes on devices running Zephyr v2.6.0 through v4.4.0. The flaw arises because the network packet's interface pointer is re-read via net_pkt_iface(pkt) after net_send_data() may have already released the packet's last reference, returning the slab block to the free list. No public exploit code exists and the vulnerability is not in CISA KEV; however, the remote trigger path via IGMP membership queries (224.0.0.1) requires no authentication, and the analogous IPv6 MLD path (mld_send) carries the same unpatched pattern.
Remote denial of service in Rockwell Automation CompactLogix and ControlLogix programmable automation controllers allows unauthenticated attackers on the network to crash the device by sending a single crafted Common Industrial Protocol (CIP) message. The fault produces a Major Non-Recoverable Fault (MNRF) that requires a full program download to recover, meaning an outage continues until an engineer physically intervenes. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.7 and OT impact make this a priority patch for affected plant floors.
Uncontrolled resource consumption in Mozilla Firefox's Graphics: ImageLib component allows remote attackers to crash or hang the browser by serving specially crafted image content to an unsuspecting user. All Firefox release-channel versions prior to 152 and both ESR tracks (prior to 140.12 and 115.37) are affected, exposing a broad install base across consumer and enterprise environments. No public exploit has been identified, SSVC rates exploitation as none with a non-automatable attack path, and KEV listing is absent - signals that collectively place this vulnerability at lower real-world priority despite a CVSS 6.5 score.
Denial-of-service in Mozilla Firefox's Audio/Video Playback component allows a remote attacker to crash or render the browser unresponsive by delivering crafted media content to a victim. All Firefox releases prior to version 152 are affected per CPE coverage. No public exploit has been identified at time of analysis, and SSVC rates exploitation as none with partial technical impact, placing this in the moderate-priority tier rather than an emergency response category.
Use-after-free in Zephyr RTOS v4.4.0 on Xtensa/MMU targets allows privileged kernel code to corrupt page tables or trigger a fatal MMU exception by destroying a memory domain without unlinking it from the global xtensa_domain_list. The dangling list node persists after arch_mem_domain_deinit() sets domain->arch.ptables to NULL, so any subsequent arch_mem_map() or arch_mem_unmap() call traverses the stale entry and dereferences the freed pointer - producing at minimum a denial-of-service kernel crash (NULL pointer deref) and at worst page-table memory corruption that undermines userspace process isolation. No public exploit code exists and no CISA KEV listing is present; however the integrity and availability impact (I:H, A:H) in a real-time OS kernel elevates practical severity beyond the 6.3 base score for affected embedded deployments.
Heap buffer overflow in GNOME localsearch (formerly tracker-miners) tracker-extract-mp3 component on Red Hat Enterprise Linux 8/9/10, Ubuntu, Debian, and SUSE allows remote attackers to trigger an out-of-bounds heap read by delivering a malformed MP3 file with crafted ID3 performer tags, leading to crashes (DoS) or disclosure of process memory contents. No public exploit identified at time of analysis, and the EPSS score of 0.19% (9th percentile) plus CISA SSVC 'Exploitation: none' indicate low real-world exploitation activity despite the 8.1 CVSS rating. Vendor patches are available across Red Hat (RHSA), Ubuntu USN-8019-1, Debian, and SUSE-SU-2026:0780/21854.
Heap buffer overflow in GNOME localsearch's tracker-extract-mp3 component enables a local attacker to crash the metadata extraction daemon and potentially disclose heap memory contents by supplying a specially crafted MP3 file with malformed ID3v2.3 COMM tags. Affected platforms confirmed by Red Hat include RHEL 8, 9, and 10, where GNOME localsearch (formerly tracker-miners) runs as a background desktop search indexing service. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; exploitation is further constrained by the requirement for local access, low privileges, and user interaction.
Out-of-bounds read in the tracker-extract-mp3 component of GNOME localsearch (formerly tracker-miners) allows a low-privileged local user to trigger an application crash or leak sensitive process memory when the indexer parses a specially crafted MP3 file. Affected deployments include Red Hat Enterprise Linux 8, 9, and 10 running the GNOME desktop stack. No public exploit or active exploitation has been identified at time of analysis, though the file-based delivery mechanism - providing a malicious MP3 to a system where localsearch auto-indexes media - keeps realistic attacker reach higher than the AV:L vector alone implies.
Heap out-of-bounds read in GNOME localsearch (formerly tracker-miners) MP3 Extractor affects Red Hat Enterprise Linux 8, 9, and 10, exploitable when a local user triggers indexing of a specially crafted MP3 file containing malformed ID3v2.4 tags. The missing bounds check in the `extract_performers_tags` function can cause a Denial of Service via an unmapped memory read, and in certain heap layout scenarios may also leak fragments of heap memory, resulting in limited information disclosure. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Denial of service in the elixir-grpc library (versions 0.4.0 through 0.x) allows unauthenticated remote attackers to crash BEAM nodes via a gzip decompression bomb. The GRPC.Compressor.Gzip module calls :zlib.gunzip/1 directly on attacker-controlled bytes without size limits, ratio checks, or incremental decoding, so a single small frame carrying the grpc-encoding: gzip header expands to multi-gigabyte allocations and triggers OOM kills. No public exploit identified at time of analysis, but a vendor patch is available in version 1.0.0.
Unauthenticated denial of service in the elixir-grpc library (versions 0.3.1 up to but not including 1.0.0) allows a single remote attacker to crash an Erlang/BEAM node by streaming an oversized or slow-trickle unary gRPC request body. The Cowboy handler's read_full_body/3 accumulates every chunk into one unbounded binary, and when no grpc-timeout header is sent the per-chunk read timeout collapses to :infinity, so memory grows without bound until the VM dies. No public exploit identified at time of analysis, but the fix is upstream in commit 49e18c3 and the issue is trivial to trigger.
Local privilege escalation and denial of service in HP One Agent software on HP PC products allow authenticated low-privileged users to gain elevated rights or disrupt the agent. HP has acknowledged the issue and is releasing software updates as mitigation. No public exploit identified at time of analysis, and the flaw is not listed on CISA KEV.
Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.prototype by submitting dotted request-body keys such as '__proto__.polluted' to the missingKeyHandler. The 3.9.3 denylist blocked only literal unsafe keys; downstream backends (notably i18next-fs-backend ≤ 2.6.5) that split missing-key strings on the configured keySeparator then walked these segments into an unguarded setPath(). No public exploit identified at time of analysis, but PoC payloads are embedded in the upstream security test suite.
Denial of service in the markdown-it npm library (≤ 14.1.1) stems from a quadratic O(n²) CPU complexity bug in the smartquotes processing rule, exploitable only when `typographer: true` is explicitly enabled. An unauthenticated remote attacker can submit approximately 160KB of consecutive quotation marks to a server-side markdown rendering endpoint and consume over 21 seconds of CPU per request; flooding the endpoint with concurrent payloads can fully exhaust server CPU and prevent legitimate users from being served. No confirmed active exploitation (not in CISA KEV), but a detailed proof-of-concept with timing measurements is publicly documented in the upstream GitHub Security Advisory GHSA-6v5v-wf23-fmfq, and a vendor-released patch is available in version 14.2.0.
Denial of service in Starlette (and downstream FastAPI applications) versions 0.4.1 through 1.3.0 allows remote unauthenticated attackers to exhaust CPU or memory by sending crafted application/x-www-form-urlencoded request bodies. The max_fields and max_part_size limits accepted by request.form() are silently ignored for urlencoded content, so a sub-10MB body can block the event loop for seconds or force unbounded memory allocation. No public exploit identified at time of analysis, but the bug is documented in detail in the upstream GHSA advisory.
Unbounded memory allocation in @opentelemetry/core affects the W3CBaggagePropagator.extract() method, which fails to enforce W3C Baggage specification size limits (8,192 bytes, 180 entries) on the inbound parsing path - only the outbound inject() path was protected. Unauthenticated remote attackers can exploit this to cause partial availability degradation by sending oversized baggage headers, with elevated risk in non-HTTP transport contexts (messaging systems, custom TextMapGetter implementations) where Node.js's native 16 KB header cap does not apply. No public exploit code or CISA KEV listing exists; the CVSS 5.3 Medium score reflects the real-world constraint imposed by Node.js defaults on the dominant HTTP deployment pattern.
Prototype pollution in i18next-fs-backend versions prior to 2.6.6 allows remote attackers to write arbitrary properties onto Object.prototype by submitting crafted missing-translation keys such as '__proto__.polluted' to applications that expose i18next-http-middleware's missingKeyHandler to untrusted input. Backend.writeFile() split keys on the configured keySeparator (default '.') and the getLastOfPath walker in lib/utils.js did not filter unsafe segments before traversing the target object. No public exploit identified at time of analysis, but a coordinated-disclosure advisory (GHSA-2933-q333-qg83) and a fixing commit are public, and downstream impact can include denial of service, configuration poisoning, and bypass of property-based security checks.
Uncontrolled CPU consumption in python-multipart's QuerystringParser (versions <0.0.30) allows remote unauthenticated attackers to cause denial of service by submitting small crafted application/x-www-form-urlencoded bodies using semicolons as field separators. The two-step separator lookup degenerates into O(B²) byte comparisons, letting a ~1 MiB body burn seconds of CPU per request and exhaust workers in Starlette/FastAPI applications that call request.form(). No public exploit identified at time of analysis, though a clear proof-of-concept payload pattern (a;a;a;...) is described in the GHSA advisory.
Memory exhaustion in python-multipart's parse_form() function allows a remote attacker to force unbounded body buffering by supplying a negative Content-Length header, degrading server availability under concurrent load. Affected deployments are narrowly scoped: only bespoke WSGI or http.server handlers that pass raw, unvalidated client-supplied Content-Length values directly into parse_form(). Mainstream consumers such as Starlette, FastAPI, and Werkzeug are not affected. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, consistent with the low CVSS base score of 3.7.
Unbounded input in ua-parser-js v2.0.1–2.0.9's Client Hints API enables remote denial-of-service via catastrophic regex backtracking. Any server-side Node.js application calling `UAParser(headers).withClientHints()` is vulnerable to CPU exhaustion when an attacker supplies an oversized `Sec-CH-UA-Model` header — a single ~32,000-character request consumes over 400ms of CPU with polynomial growth. A functional proof-of-concept exploit is publicly available in the GitHub Security Advisory (GHSA-9h5v-pfqq-x599); no active exploitation in CISA KEV has been confirmed at time of analysis.
Memory amplification in protobufjs 8.2.0-8.4.2 enables remote unauthenticated attackers to exhaust heap memory in Node.js services by submitting crafted protobuf binary payloads densely packed with field numbers absent from the application's schema. The library's unknown-field retention feature - introduced in 8.2.0 - stores these wire elements in `message.$unknowns` with no decode-time cap or discard mechanism, allowing payloads to consume memory far exceeding their wire size. No public exploit code is identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the attack requires no privileges and is accessible over the network against any service that decodes untrusted protobuf binary input.
Denial-of-service in aiohttp (all versions up to and including 3.14.0) allows remote attackers to exhaust server memory by sending large, incomplete WebSocket frame payloads that bypass the library's configured memory size limits. Any Python web application exposing WebSocket endpoints via aiohttp is affected - no authentication is implied as a prerequisite at the protocol layer. No public exploit code has been identified at time of analysis, but the attack primitive is straightforward and the fix is available in 3.14.1.
Unbounded HTTP/1 pipelined request queuing in aiohttp server allows a remote, unauthenticated attacker to exhaust process memory and cause denial of service by sending pipelined requests faster than the server can handle them. All aiohttp server deployments at version 3.14.0 and earlier are affected; the client library is not impacted. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, though the attack requires no special tooling beyond a standard HTTP/1.1 client capable of pipelining.
Memory exhaustion in aiohttp's optimised C HTTP parser allows remote unauthenticated attackers to bypass the max_line_size guard by fragmenting oversized request targets or response reason phrases across multiple TCP reads, potentially causing denial of service against any server using the default pre-built wheel configuration. The flaw is specific to the Cython-compiled C parser (the default in pre-built PyPI wheels); the pure-Python fallback correctly accumulated fragment lengths and is unaffected. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in aiohttp 3.14.1.
Denial of service in GStreamer's AV1 codec parser (gst-plugins-bad) allows a remote unauthenticated attacker to crash any application using GStreamer for AV1 media playback by delivering a specially crafted AV1 file. The root cause is a unit mismatch in the gst_av1_parser_parse_tile_list_obu() function, which feeds a byte count to an API expecting a bit count, desynchronizing the parser and triggering an assertion abort. No public exploit has been identified at time of analysis, and exploitation requires user interaction; however, the vulnerability affects Red Hat Enterprise Linux 6 through 10 where GStreamer is a core multimedia component.
Out-of-bounds read and denial-of-service in GStreamer's RealMedia demuxer (gst-plugins-ugly) allows remote attackers to crash, hang, or potentially leak limited adjacent memory when a victim opens a maliciously crafted RealMedia (.rm) file. The flaw stems from unvalidated offsets in re_skip_pascal_string() and an attacker-controlled loop counter in the FILEINFO metadata parser. No public exploit identified at time of analysis, and the CVE is not on the CISA KEV list.
Denial-of-service in Spring Cloud Sleuth 3.1.0 through 3.1.13 allows remote unauthenticated attackers to exhaust application availability by sending specially crafted calls processed by the spring-cloud-sleuth-instrumentation library when Spring TX (transaction) instrumentation is enabled. The flaw is network-reachable with low attack complexity and no user interaction (CVSS 7.5, AV:N/AC:L/PR:N), but there is no public exploit identified at time of analysis and no CISA KEV listing. Impact is limited to availability - no confidentiality or integrity compromise is possible.
{json:true}), or JSON.stringify(), unbounded recursion exhausts the JavaScript call stack. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-wcpc-wj8m-hjx6 provides full technical detail and patched versions are available.
Schema-name shadowing in protobufjs (npm packages protobufjs and protobufjs-cli) enables denial of service when an attacker can supply or influence protobuf schemas containing field or service method names that collide with JavaScript runtime-significant identifiers used by the protobufjs runtime. Affected names - specifically a field named `hasOwnProperty`, a field or oneof named `$type` via JSON/reflection descriptors, and service methods whose generated helper resolves to `rpcCall` - cause the runtime to read schema-controlled data in place of expected internal helpers, producing deterministic exceptions or uncontrolled recursion (CWE-674) across decode, verification, serialization, and RPC invocation paths. No public exploit has been identified and no active exploitation is confirmed; the misleading 'RCE' tag in the intelligence metadata is directly contradicted by the vendor advisory, which explicitly states the issue is not known to allow code execution.
Denial of service in @angular/common's formatDate function (and the DatePipe that wraps it) allows remote attackers to exhaust CPU and memory by supplying an excessively long, attacker-controlled date format string. On Server-Side Rendered Angular apps this triggers a JavaScript heap out-of-memory crash that takes down the application for all users; on Client-Side Rendered apps it freezes the victim's browser tab. No public exploit identified at time of analysis, but the upstream patch and regression tests are public in angular/angular#69197.
Quadratic CPU exhaustion in js-yaml (npm) versions 4.1.1 and earlier allows unauthenticated remote attackers to block a Node.js event loop for multiple seconds using a crafted YAML payload under 100 KB, resulting in denial of service. The flaw lies in the merge-key parser's failure to deduplicate repeated alias references before invoking per-key processing, producing O(K×M) work from O(K+M) input. A detailed proof-of-concept with reproducible timing benchmarks is publicly available via GitHub Security Advisory GHSA-h67p-54hq-rp68; no active exploitation is confirmed in CISA KEV at time of analysis.
Denial of service in Angular's @angular/common package allows attackers to exhaust CPU and memory by passing crafted digitsInfo strings (e.g., '1.200000000-200000000') to formatNumber, DecimalPipe, PercentPipe, or CurrencyPipe. On SSR deployments this crashes the Node.js process with a heap-out-of-memory error, while client-side rendering freezes the browser tab. No public exploit identified at time of analysis, though the patched code and triggering input strings are documented in PR #68840.
Memory exhaustion denial of service in the npm 'ws' WebSocket library allows a remote unauthenticated peer to crash a Node.js process by streaming many tiny WebSocket fragments that force the receiver to allocate structural wrappers far exceeding the documented maxPayload limit, ultimately triggering an out-of-memory termination. The flaw affects ws versions prior to 5.2.5, 6.2.4, 7.5.11, and 8.21.0, and publicly available exploit code exists in the GitHub Security Advisory GHSA-96hv-2xvq-fx4p.
Denial of service in Multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 allows remote unauthenticated attackers to exhaust server disk space when the library is configured with diskStorage. Aborted or malformed multipart uploads leave orphaned partial files because stream destruction is not propagated to the underlying fs.WriteStream, enabling resource exhaustion at scale with no public exploit identified at time of analysis. EPSS probability is low at 0.25% but SSVC marks the issue automatable with partial technical impact.
Use-after-free in Zephyr RTOS's native TCP2 stack allows a concurrent connection teardown - triggered by ordinary TCP traffic from an adjacent-network peer - to invalidate a cached iterator pointer in net_tcp_foreach(), crashing the system or causing the iterator callback to operate on attacker-influenced reallocated memory. All Zephyr releases from the TCP2 stack introduction in 2020 through v4.4.0 (inclusive) are affected. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the primary real-world risk is denial of service against embedded or IoT devices with TCP networking and shell access exposed on an adjacent network segment.
Denial of service in Mattermost Desktop App (versions ≤6.1 and ≤5.5.13.0) allows a malicious Mattermost server owner to crash client applications by injecting a script that calls window.open() with an excessively large URL, exploiting a missing resource limit on URL length processing. Exploitation requires user interaction - the victim must actively connect their Desktop App to an attacker-controlled server - and impact is strictly limited to application availability with no confidentiality or integrity exposure. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Denial of service in the Express.js multer middleware (versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1) allows unauthenticated remote attackers to exhaust CPU and memory by sending a single multipart form request with deeply nested bracket-notation field names. The flaw lives in the append-field dependency, which parses nesting depth without any cap, so one crafted POST can degrade or crash Node.js services. No public exploit identified at time of analysis, but the issue is trivially reproducible against any default multer deployment exposed on the network.
Uncontrolled resource consumption in Datadog Vector v0.54.0 allows authenticated remote attackers to crash or degrade the observability pipeline by sending crafted HTTP requests to the /util/http/prelude.rs handler. The vulnerability is classified as CWE-400 and carries a CVSS 3.1 score of 6.5 (Medium), requiring low-privilege network access with no user interaction. No public exploit identified at time of analysis beyond a GitHub gist that may contain proof-of-concept material; EPSS sits at 0.15% (4th percentile), indicating very low observed exploitation probability in the broader threat landscape.
Denial of service in LLDAP v0.6.2 allows remote unauthenticated attackers to disrupt the authentication service by sending a crafted refresh-token header to the HTTP refresh endpoint. The flaw is a CWE-400 resource handling defect with CVSS 7.5 (availability-only impact); no public exploit is identified, though a referenced gist may contain proof-of-concept material. EPSS is low at 0.18% (8th percentile) and the issue is not on CISA KEV.
NULL pointer dereference in dhcpcd 10.3.0 allows an unauthenticated attacker on the same network segment to crash the DHCP client daemon by sending a crafted packet with unexpected or invalid option tokens. The fault occurs in parse_option() at src/if-options.c:1886, where a NULL return from option lookup is immediately dereferenced as a 'struct dhcp_opt' member without a null check, causing a runtime abort. No public exploit or CISA KEV listing exists, and EPSS sits at the 4th percentile, indicating low but real crash-level risk for any host running this specific dhcpcd version on a shared or adversarially accessible network segment.
Heap buffer overflow in GPAC MP4Box v2.4 crashes the application when processing a maliciously crafted MP4 file, triggering a DoS condition in the CENC DRM sample handler. The vulnerable code path resides in gf_cenc_set_pssh (isomedia/drm_sample.c), which processes Protection System Specific Header data embedded in MP4 containers. SSVC confirms no active exploitation, no public exploit exists, and the CVSS local-vector/user-interaction requirement significantly constrains real-world attack surface.
NULL pointer dereference in GPAC MP4Box v2.4 crashes the application when processing a specially crafted MP4 file, delivering a denial of service against any user or automated pipeline invoking the tool. The flaw is isolated to the TrackWriter handling component in filters/mux_isom.c, triggered by malformed MP4 input that causes an unvalidated pointer dereference. No public exploit code has been identified and this CVE does not appear in CISA KEV; SSVC rates exploitation status as none with no automation potential, consistent with a limited, file-delivery-dependent attack surface.
An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.
Heap buffer overflow in GPAC MP4Box v2.4 crashes the application when parsing a maliciously crafted MP4 file containing an invalid VP codec configuration. The vulnerable function, gf_isom_vp_config_new in isomedia/avc_ext.c, fails to safely handle attacker-controlled input during ISO Base Media File Format parsing, resulting in a Denial of Service condition. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, placing this in a low-urgency remediation tier per SSVC signals.