Denial of Service
Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions.
How It Works
Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions. Attackers exploit asymmetry: minimal attacker effort produces disproportionate resource consumption on the target. Application-level attacks use specially crafted inputs that trigger expensive operations—a regex engine processing malicious patterns can backtrack exponentially, or XML parsers recursively expand entities until memory exhausts. Network-level attacks flood targets with connection requests or amplify traffic through reflection, but application vulnerabilities often provide the most efficient attack surface.
The attack typically begins with reconnaissance to identify resource-intensive operations or unprotected endpoints. For algorithmic complexity attacks, adversaries craft inputs hitting worst-case performance—hash collision inputs filling hash tables with collisions, deeply nested JSON triggering recursive parsing, or pathological regex patterns like (a+)+b against strings of repeated 'a' characters. Resource exhaustion attacks open thousands of connections, upload massive files to unbounded storage, or trigger memory leaks through repeated operations. Crash-based attacks target error handling gaps: null pointer dereferences, unhandled exceptions in parsers, or assertion failures that terminate processes.
Impact
- Service unavailability preventing legitimate users from accessing applications during attack duration
- Revenue loss from downtime in e-commerce, SaaS platforms, or transaction processing systems
- Cascading failures as resource exhaustion spreads to dependent services or database connections pool out
- SLA violations triggering financial penalties and damaging customer trust
- Security team distraction providing cover for data exfiltration or intrusion attempts running concurrently
Real-World Examples
CVE-2018-1000544 in Ruby's WEBrick server allowed ReDoS through malicious HTTP headers containing specially crafted patterns that caused the regex engine to backtrack exponentially, freezing request processing threads. A single attacker could saturate all available workers.
Cloudflare experienced a global outage in 2019 when a single WAF rule containing an unoptimized regex hit pathological cases on legitimate traffic spikes. The .*(?:.*=.*)* pattern exhibited catastrophic backtracking, consuming CPU cycles across their edge network until the rule was disabled.
CVE-2013-1664 demonstrated XML bomb vulnerabilities in Python's XML libraries. Attackers uploaded XML documents with nested entity definitions-each entity expanding to ten copies of the previous level. A 1KB upload could expand to gigabytes in memory during parsing, crashing applications instantly.
Mitigation
- Strict input validation enforcing size limits, complexity bounds, and nesting depth restrictions before processing
- Request rate limiting per IP address, API key, or user session with exponential backoff
- Timeout enforcement terminating operations exceeding reasonable execution windows (typically 1-5 seconds)
- Resource quotas limiting memory allocation, CPU time, and connection counts per request or tenant
- Regex complexity analysis using linear-time algorithms or sanitizing patterns to eliminate backtracking
- Circuit breakers automatically rejecting requests when error rates or latency thresholds indicate degradation
- Load balancing and autoscaling distributing traffic across instances with automatic capacity expansion
Recent CVEs (36508)
Heap corruption in Google Chrome's Cast component prior to version 149.0.7827.53 allows adjacent-network attackers to trigger a use-after-free condition through crafted network traffic, potentially leading to arbitrary code execution within the renderer. Chromium rates the underlying severity as Critical, and no public exploit identified at time of analysis, though the AV:A vector means any attacker sharing the victim's LAN or Wi-Fi segment can attempt exploitation without authentication or user interaction.
Remote code execution in Google Chrome's Cast Streaming component (versions prior to 149.0.7827.53) allows an attacker on the same local network segment to execute arbitrary code by sending malicious network traffic to a vulnerable browser. The flaw is rated Critical by the Chromium project and carries a CVSS 3.1 score of 8.8, with no public exploit identified at time of analysis.
Remote code execution in Google Chrome on macOS prior to 149.0.7827.53 stems from a use-after-free flaw in the Chromoting (Chrome Remote Desktop) component, allowing remote attackers to execute arbitrary code by delivering malicious network traffic. Google's Chromium team rates the underlying defect as Critical severity, and no public exploit has been identified at time of analysis, though the bug class historically attracts in-the-wild exploitation against browser users.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers to exploit a use-after-free condition in the FileSystem component via a crafted HTML page, with user interaction required. Google has rated the underlying Chromium issue as Critical severity, and a vendor patch is available; no public exploit identified at time of analysis, though the high CVSS score (9.6) and scope-changed impact warrant rapid patching.
Remote code execution in Google Chrome for iOS versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code by luring a victim to a crafted HTML page that triggers a use-after-free condition. The flaw is rated Critical by Chromium and carries a CVSS 8.8 score, and while no public exploit is identified at time of analysis, the user-interaction-only barrier (visiting a page) makes drive-by exploitation a realistic concern for unpatched iOS Chrome users.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page targeting a use-after-free flaw in the Chromecast component. Google classifies the underlying issue as Critical severity, and no public exploit has been identified at time of analysis. The bug requires chaining with a separate renderer compromise, which lowers standalone exploitability but makes it valuable as the second stage of a full browser exploit chain.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 stems from a use-after-free flaw in the Network component, allowing a remote attacker to execute arbitrary code within the renderer process when a user visits a crafted HTML page. Google rated this issue Critical at the Chromium level, and a vendor patch is available; no public exploit identified at time of analysis.
Out-of-bounds write/read in Zephyr RTOS (versions ≤ 4.3) affects the TLS socket connect path when the TLS session cache is enabled, where tls_session_store() and tls_session_restore() memcpy a caller-supplied socket address into a fixed-size 24-byte stack buffer using an unvalidated, caller-controlled addrlen. Because struct net_sockaddr is opaque, an application can pass an oversized addrlen (e.g. 128 bytes), corrupting adjacent memory and causing a crash/denial of service, with potential for arbitrary code execution. Publicly available exploit code exists per the SSVC 'poc' status, but EPSS is very low (0.06%, 18th percentile) and it is not on CISA KEV.
Integer underflow in Zephyr RTOS Bluetooth Mesh solicitation handling (versions ≤ 4.3.0) allows any physically proximate, unauthenticated BLE device to corrupt memory via a crafted advertising PDU, potentially causing denial of service or arbitrary code execution on the target device. The flaw resides in bt_mesh_sol_recv() within the OD Private Proxy Server feature and requires no prior pairing or device association to trigger. No public exploit has been identified at time of analysis and EPSS probability is low at 0.02%, but the combination of zero-interaction exploitation and RCE impact on embedded IoT devices warrants prioritization where this configuration is deployed.
SQL injection in OpenMeter's meter creation API allows any authenticated tenant to execute arbitrary ClickHouse SQL against a shared database with no row-level security, enabling full cross-tenant data exfiltration. The vulnerable endpoint is POST /api/v1/meters, where the valueProperty and groupBy fields are interpolated directly into ClickHouse SELECT statements via fmt.Sprintf without parameterization, and the sanitization function (sqlbuilder.Escape) only escapes library-internal placeholder characters - not single quotes. A publicly available exploit code (PoC) exists demonstrating confirmed time-based blind injection, and no public exploit identified at time of analysis in the CISA KEV sense, though the PoC lowers the barrier to exploitation significantly.
Denial of service in the Perl module Net::CIDR::Set through version 0.20 allows remote unauthenticated attackers to trigger indefinite recursion by submitting malformed IP address strings to the add() method. The flaw stems from missing input validation when parsing addresses, causing the parser to re-enter itself without a termination condition. No public exploit identified at time of analysis, but the issue is trivially reproducible and a fixed version 0.21 has been released on CPAN.
Client-side denial of service in Axios versions before 0.32.0 (0.x line) and before 1.16.0 (1.x line) allows attackers who influence the XSRF cookie name configuration to trigger catastrophic regex backtracking when axios reads document.cookie in browser environments. The flaw stems from unescaped interpolation of the cookie name into a dynamically constructed RegExp, and a detailed proof-of-concept is published in the GitHub Security Advisory, though no public exploitation has been observed in the wild.
Denial-of-service via size-limit bypass in Axios 1.7.0 through 1.15.x affects server-side Node.js applications that select the fetch adapter and rely on maxContentLength or maxBodyLength as a security boundary. Attackers controlling response bodies, data: URLs, or forwarded request payloads can exhaust memory, CPU, or network resources because the fetch adapter never reads those limits. No public exploit identified at time of analysis beyond the advisory's own proof-of-concept code.
Denial-of-service via alias amplification in Strawberry GraphQL (versions 0.172.0 through 0.315.6) allows unauthenticated remote attackers to exhaust server resources by bypassing the MaxAliasesLimiter extension using crafted GraphQL fragment spreads. The limiter performs only a static AST alias count, missing the multiplicative expansion that occurs at execution time when a fragment containing N aliases is spread M times - producing N×M resolved aliases against a limit enforced at N+M. A publicly available proof-of-concept exists demonstrating the bypass; no active exploitation has been confirmed in CISA KEV at time of analysis.
Infinite recursion in Strawberry GraphQL's QueryDepthLimiter extension allows unauthenticated remote attackers to crash the validation process and exhaust server resources by submitting queries with circular fragment references. Affected versions 0.71.0 through 0.315.6 of the pip package strawberry-graphql fail to track visited fragments in the determine_depth function, meaning a trivially crafted two-fragment cycle (A spreads B, B spreads A) triggers a Python RecursionError before any query execution occurs. A public proof-of-concept is confirmed in GHSA-qfwv-87qj-98xq; no active exploitation is listed in CISA KEV at time of analysis.
Remote denial-of-service in SolarWinds Serv-U allows unauthenticated attackers to crash the Serv-U service by sending specially crafted POST requests using Content-Encoding: deflate. The flaw carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and maps to CWE-400 (uncontrolled resource consumption), affecting service availability without compromising confidentiality or integrity; no public exploit identified at time of analysis.
Denial of service in Dell BSAFE SSL-J allows unauthenticated remote attackers to exhaust resources on systems using the cryptographic library, rendering affected services unavailable. The flaw stems from CWE-770 (allocation of resources without limits or throttling) and carries a CVSS 7.5 score reflecting network-reachable, no-privilege exploitation with high availability impact. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Uncontrolled resource consumption in KeystoneJS's GraphQL API endpoint allows a remotely authenticated attacker with low-privilege credentials to degrade server availability by submitting deeply nested GraphQL queries that exhaust CPU or memory without bound. Versions up to snapshot 20260319 of the @keystone-6/core package are affected. A public proof-of-concept exists (CVSS E:P), though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 score of 2.1 - indicating limited real-world severity under most deployments.
Denial of service in the Acer Connect M6E 5G Portable WiFi Router (firmware M6E_AI_1.00.000019 and earlier) lets an unauthenticated attacker on the adjacent network abuse the device dissociation API to forcibly unbind arbitrary client endpoints from the router. With no public exploit identified at time of analysis and no CISA KEV listing, this is a connectivity-disruption issue rather than a code execution risk, but it can knock legitimate users off the WiFi at will. CVSS 4.0 scores it 7.1 due to high availability impact via a low-complexity, no-privilege adjacent attack.
Heap out-of-bounds read in Morse Micro HaLowLink 2 prior to version 2.11.12 allows an unauthenticated attacker within 802.11ah radio range to disclose up to 9 bytes of kernel heap memory or trigger a kernel panic (DoS) by transmitting a crafted beacon or probe response frame containing a malformed Vendor Information Element. The morse.ko kernel driver function morse_vendor_find_vendor_ie() fails to validate IE body length against the expected structure size before downstream callers read at fixed offsets, requiring only that the IE length field exceed 3 bytes. No public exploit identified at time of analysis; EPSS places exploitation probability at 0.03% (8th percentile) with no CISA KEV listing, though the zero-prerequisite radio-range attack surface warrants prompt patching for HaLow-enabled deployments.
Resource exhaustion in Open vSwitch v3.6.90 allows an authenticated attacker with OVSDB write access to crash the virtual switch by requesting an unbounded number of handler or revalidation threads via a missing upper-bound check in the udpif_set_threads() function. The SSVC framework confirms a proof-of-concept exploit exists, though the vulnerability is not listed in CISA KEV and automated mass exploitation is assessed as unlikely due to the required management-plane authentication. With CVSS 6.5 and impact limited to availability, this is a moderate-priority finding that becomes high-priority in environments where OVSDB write access is broadly granted or inadequately segmented.
Denial of service in BACnet Stack 1.3.1 occurs through an out-of-bounds read in the bacnet_tag_number_decode function, allowing remote attackers to crash affected building automation systems by sending crafted BACnet protocol messages. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at a very low 0.02%, though the network-reachable nature of BACnet deployments in critical infrastructure warrants attention.
Hash collision weaknesses in SGLang's multimodal Cache Handler (all versions through 0.5.11) allow a local low-privilege attacker to craft multimodal tensor inputs that produce identical cache keys via truncated SHA256 digests, causing incorrect cache lookups or cache invalidation failures that disrupt LLM serving workflows. The CVSS 4.0 score of 1.1 reflects the strictly local attack vector and high exploitation complexity, limiting real-world impact primarily to multi-tenant inference deployments. Publicly available exploit code exists per GitHub issue #25462, though no confirmed active exploitation has been observed and the vulnerability is not listed in the CISA KEV catalog.
XML External Entity (XXE) injection in Docling's USPTO patent backend allows remote attackers to trigger denial of service, read arbitrary server files, or perform SSRF by submitting crafted patent XML to vulnerable versions (>=2.13.0, <2.74.0). The flaw stems from use of Python's unsafe xml.sax.parseString() across the ICE v4.x, Grant v2.5, and Application v1.x parsers. No public exploit identified at time of analysis, but the fix is publicly documented in the vendor advisory and a working patched release is available.
Local file disclosure and denial of service in the Docling document-conversion library (Python pip package, versions 2.45.0 up to 2.91.0) stem from its METS-GBS backend parsing XML and extracting archives without security controls. A maliciously crafted METS-GBS archive processed by Docling can trigger XML External Entity (XXE) resolution to read sensitive local files, or use decompression/zip bombs and unbounded tar extraction to exhaust memory and disk. EPSS is very low (0.01%, 3rd percentile) and there is no public exploit identified at time of analysis; exploitation requires a victim application to process attacker-supplied input.
Stored XSS in the malla Meshtastic dashboard (pip/malla <= 0.1.7) allows any unauthenticated participant on a public MQTT broker to execute arbitrary JavaScript in the browser of every dashboard visitor. Meshtastic node names (long_name, short_name) received via MQTT are stored in SQLite without sanitization and interpolated directly into multiple HTML templates and frontend JavaScript files without output escaping. No CSP restrictions are in place, compounding impact. No public exploit identified at time of analysis, though full reproduction steps are published in GHSA-ch57-39q2-4crm.
Memory exhaustion in quic-go's HTTP/3 implementation allows remote unauthenticated attackers to crash or degrade servers and clients by sending crafted QPACK-encoded HEADERS frames that exploit missing decoded size limits on HTTP trailer field sections. Affected versions (<= 0.59.0) enforce size caps only on the compressed HEADERS frame, not on the decoded output - a malicious peer can achieve roughly 50x expansion via QPACK static table entries, overwhelming available memory. No public exploit code has been identified at time of analysis, but the attack vector is network-accessible with no authentication required, making this a practical denial-of-service risk for any Go application using quic-go for HTTP/3.
Denial of service in Securly Chrome Extension version 3.0.7 allows on-path network attackers to halt all browsing activity by injecting malicious regular expression patterns into an HTTP-delivered configuration file. The extension fetches config.json over plaintext HTTP and compiles attacker-controlled patterns with new RegExp() without complexity checks, enabling catastrophic backtracking (ReDoS). No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the issue is reported by CERT/CC.
Denial of service in the Linux kernel ath12k Wi-Fi driver affects systems using Qualcomm WCN7850 chipsets with multi-link operation (MLO) connections. When Wake-on-WLAN (WoW) offloads are configured on both primary and secondary links during a multi-link connection, the WCN7850 firmware crashes, disrupting wireless connectivity. EPSS exploitation probability is very low (0.02%, 4th percentile) and no public exploit identified at time of analysis, suggesting this is primarily a stability/reliability fix rather than a security priority.
Use-after-free in the Linux kernel's rt9455 power supply driver allows local attackers to trigger memory corruption or system crashes via a race condition during driver probe or removal. The flaw stems from incorrect ordering of devm_-managed resource allocation, where the IRQ handler can fire against a freed or uninitialized power_supply handle. EPSS is very low (0.02%, 7th percentile) and no public exploit is identified at time of analysis, but the CVSS score of 8.4 reflects high impact on confidentiality, integrity, and availability for systems shipping the rt9455 Richtek battery charger driver.
NULL pointer dereference in the Linux kernel's Canaan K230 pinctrl driver causes a local denial of service during device tree parsing. Specifically, k230_pinctrl_parse_functions() dereferences info->pctl_dev->dev before info->pctl_dev is initialized, triggering a kernel panic on systems using the K230 SoC. A low-privileged local attacker on affected hardware can crash the kernel, fully denying system availability. No public exploit code exists and EPSS of 0.02% (5th percentile) indicates minimal exploitation probability; however, the straightforward trigger condition and kernel-crash impact warrant prompt patching on K230-based deployments.
Inverted debug assertion in the Linux kernel PCI/P2PDMA subsystem triggers a spurious kernel warning in p2pmem_alloc_mmap() when CONFIG_DEBUG_VM is enabled, resulting in high availability impact on affected systems. The root cause is a stale VM_WARN_ON_ONCE_PAGE condition that was not updated after commit b7e282378773 changed the initial page refcount from one to zero, causing the assertion to fire on every valid P2PDMA allocation. Authenticated local users with access to P2PDMA-capable hardware can exploit this on debug-compiled kernels to cause denial of service; no public exploit exists and EPSS is 0.02% (4th percentile), reflecting negligible real-world exploitation likelihood.
NULL pointer dereference in the Linux kernel's SPI WPCM FIU driver allows a local low-privileged attacker to crash the kernel via a denial-of-service condition. The wpcm_fiu_probe() function passes the return value of platform_get_resource_byname() directly to resource_size() without validating against NULL, meaning if the named resource is absent the kernel dereferences a NULL pointer and panics. No public exploit exists and no active exploitation is confirmed; EPSS of 0.02% (5th percentile) reflects the narrow, hardware-specific attack surface.
NULL pointer dereference in the Linux kernel's GPIO character device subsystem (gpio/cdev) allows a local, low-privileged user to crash the kernel via a denial-of-service. In linehandle_create(), the macro retain_and_null_ptr(lh) sets lh to NULL, but a subsequent debug printout immediately dereferences that same pointer - triggering a kernel panic. No public exploit has been identified at time of analysis, and EPSS indicates very low exploitation probability at 0.02% (5th percentile), consistent with a local-access-only DoS with no code execution or data exposure component.
Denial of service in the Linux kernel's MIPS architecture support affects builds compiled with LLVM/Clang versions 18 through 21, where the compiler incorrectly restores the $gp global register variable in the relocate_kernel() epilogue. The result is that __current_thread_info points to the unrelocated kernel address space, causing an immediate NULL-pointer dereference in init_idle during early boot and a panic before userspace ever starts. No public exploit identified at time of analysis, EPSS is very low (0.02%), and the issue is a boot-time crash rather than a remotely triggerable flaw.
Kernel crash in the Linux octeontx2-af driver exposes Marvell OcteonTX2 systems to a denial-of-service condition triggered by kexec reboots when both AF and PF drivers are loaded as modules. Because kexec does not power-cycle hardware, the RVUM block revision register retains its pre-reboot value; the PF driver misinterprets this stale register value as confirmation that AF initialization is complete and proceeds to access hardware state that has not yet been reinitialized in the new kernel, producing a kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), confirming this is a niche reliability defect in a specific hardware/driver configuration rather than an adversarially weaponizable flaw.
Kernel crash (denial of service) affects Qualcomm GFX3D GPU clock management on ARM64 Linux systems running vulnerable kernel versions. A regression introduced by commit d228ece36345 ('clk: divider: remove round_rate() in favor of determine_rate()') left the best_parent_hw field unpopulated in parent_req during GFX3D clock rate determination, causing a NULL dereference crash triggered by normal GPU devfreq monitoring. A local low-privileged user on a Qualcomm MSM/Snapdragon device can induce this crash through GPU frequency scaling activity. No public exploit exists and EPSS is 0.02%, consistent with a narrow hardware-specific bug rather than broadly exploitable vulnerability.
Use-after-free in the Linux kernel's pm8916_lbc power supply driver allows a local attacker to potentially trigger memory corruption or kernel crashes during device removal. The flaw stems from incorrect ordering of devm_-managed resources: the extcon handle is freed before the IRQ is unregistered, leaving a window where the IRQ handler invokes extcon_set_state_sync() on freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), reflecting low real-world attacker interest in this driver-specific race.
Null pointer dereference in the Linux kernel's AMD GPU display driver (drm/amd/display) crashes the kernel during Hot Plug Detection (HPD) initialization on systems with AMD GPUs. The amdgpu_dm_hpd_init() function assigns dc_link from a connector but then unconditionally dereferences it at line 940 of amdgpu_dm_irq.c without first confirming it is non-NULL - connectors lacking a valid dc_link trigger a kernel NULL dereference. Exploitation requires local, low-privileged access to a system with an affected AMD GPU; no public exploit has been identified at time of analysis and EPSS probability is 0.02% (5th percentile), indicating very limited real-world exploitation pressure.
NULL pointer dereference in the Linux kernel's PCI endpoint NTB driver allows an authenticated local attacker to crash the kernel (denial of service) by triggering a memory allocation failure during driver initialization. The missing NULL check after `alloc_workqueue()` in `epf_ntb_epc_init()` causes a subsequent `queue_work()` call to dereference a NULL pointer, resulting in a kernel panic. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface; this is not confirmed actively exploited (CISA KEV absent).
Denial of service in Django Daphne before 4.2.2 allows unauthenticated remote attackers to exhaust server memory by sending oversized WebSocket frames or messages. The flaw stems from Daphne failing to forward maxFramePayloadSize and maxMessagePayloadSize limits to the underlying Autobahn WebSocketServerFactory, which defaults both to unlimited. No public exploit identified at time of analysis, and EPSS is low (0.07%), but the CVSS:3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy network-reachable abuse against any deployment exposing WebSockets.
Remote denial-of-service in FRRouting BGP daemon affects stable branches 10.0 through 10.6 via the rfapiRibBi2Ri() function in the RFAPI module. A remote attacker capable of sending crafted BGP UPDATE messages can crash or hang the routing daemon due to missing input validation on encapsulation sub-TLV length fields. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the attack surface is any BGP peer the router accepts sessions from.
Out-of-bounds read in lwext4 1.0.0's ext4_ext_binsearch_idx function (src/ext4_extent.c) exposes applications to memory disclosure or process crashes when parsing a specially crafted ext4 filesystem image. Insufficient validation of extent header fields before binary search traversal of the extent index tree allows invalid pointer arithmetic, resulting in reads beyond the allocated buffer boundary. A publicly available exploit exists on GitHub; no CISA KEV listing has been confirmed, but the combination of a network-deliverable attack vector and public POC elevates practical urgency for lwext4 consumers.
Divide-by-zero in lwext4 1.0.0's ext4_block_set_lb_size function (src/ext4_blockdev.c) crashes any application that mounts or processes a crafted ext4 filesystem image with a zero logical block size. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) confirms the impact is limited to availability - no code execution or data exposure - but the crash is reliable and reproducible. Publicly available exploit code exists demonstrating the issue; no active exploitation has been confirmed by CISA KEV.
NULL pointer dereference in GPAC MP4Box before version 26.02.0 crashes the process when a local user processes a crafted media file, resulting in Denial of Service. The flaw exists in gf_filter_pid_resolve_file_template_ex (filter_pid.c), where prop_val->value.string is passed to strncmp without a prior null check - confirmed by upstream commit diff. Publicly available exploit code exists, but SSVC signals no active exploitation and non-automatable attack conditions; no CISA KEV listing is present.
Denial of service in Apache HTTP Server 2.4.17 through 2.4.67 (via the bundled mod_http2 module) allows remote unauthenticated attackers to exhaust server memory by sending crafted HTTP/2 requests whose cookie headers are not correctly counted against LimitRequestFields. Publicly available exploit code exists and a third-party write-up describes a 'hidden HTTP/2 bomb,' but EPSS exploitation probability is currently very low (0.02%, 5th percentile) and the CVE is not on the CISA KEV list.
Resource exhaustion in Dask up to version 3.0 allows authenticated remote attackers to trigger excessive resource consumption via the `nunique_approx` function in the HyperLogLog (HLL) handler component. The root cause is a HashDoS vulnerability - adversarially crafted string or object-type input values can be engineered to collide within the 32-bit hash space used for approximate distinct counting and shuffle partitioning, causing partition hotspotting and disproportionate CPU/memory load on worker nodes. No public exploit code exists at time of analysis, and the CVSS score of 3.1 (Low) with AC:H and A:L confirms limited real-world availability impact absent a targeted, high-complexity effort.
Use-after-free in OpENer's EtherNet/IP stack (versions up to 2.3.0) exposes industrial control system deployments to remote memory corruption via the CIP SendRRData handler. A low-privileged network attacker can manipulate the `CreateMessageRouterRequestStructure` function in `cipmessagerouter.c` to access freed memory, leading to denial of service, memory corruption, or potentially arbitrary code execution. A public proof-of-concept exploit has been disclosed, and the maintainer has not responded to the coordinated disclosure issue (#566), meaning no patch is available at time of analysis.
Uncontrolled resource consumption in johnhuang316 code-index-mcp versions up to 2.14.0 allows an authenticated remote attacker with low privileges to trigger a denial of service by supplying a catastrophically backtracking regex pattern to the `search_code_advanced` tool's `regex` argument. The `is_safe_regex_pattern` validation function fails to reject pathological patterns, causing the MCP server process to exhaust CPU resources and become unresponsive. A public proof-of-concept exploit exists (CVSS 4.0 E:P); no active exploitation via CISA KEV has been reported, and impact is limited to availability of the vulnerable component only.
ReDoS (Regular Expression Denial of Service) in wonderwhy-er DesktopCommanderMCP versions up to 0.2.38 allows authenticated remote attackers to exhaust server CPU by supplying crafted regex patterns with nested quantifiers to the start_search function in src/search-manager.ts. The unpatched code compiled user-controlled regex patterns directly into JavaScript RegExp objects without validating for catastrophic backtracking constructs, enabling partial availability degradation. A public proof-of-concept exploit exists (CVSS E:P), though the vulnerability is not listed in CISA KEV, and the CVSS 4.0 base score of 2.1 reflects its limited, low-availability impact.
Denial of service in the Cpanel::JSON::XS Perl module before version 4.41 allows remote attackers to crash any caller that decodes a UTF-8 BOM prefixed JSON document with a throwing filter callback. The flaw arises from a missed pointer restoration when decode_json aborts via a Perl exception, leaving the input scalar with a corrupted SvPVX pointer that fatally aborts the interpreter on later free. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but CISA SSVC marks the issue as automatable with partial technical impact.
Type confusion in Cpanel::JSON::XS (Perl) versions before 4.41 allows remote attackers to crash a decoder by submitting JSON with duplicate object keys when the dupkeys_as_arrayref option is enabled. The decode_hv() routine dereferences a scalar as a reference before verifying its type, turning attacker-controlled scalar contents into a wild pointer access. No public exploit identified at time of analysis; EPSS is 0.02% and CISA SSVC marks exploitation as 'none' but automatable with partial technical impact.
Persistent denial-of-service in the Mercusys AC12G (EU) V1 router running firmware AC12G(EU)_V1_200909 allows an unauthenticated adjacent-network attacker to crash the device by sending a low number of crafted, incomplete HTTP requests, rendering it unresponsive until physically power-cycled. The attack exploits uncontrolled resource consumption (CWE-400) in the router's HTTP service, which fails to safely handle malformed or truncated connections. No public exploit code or active exploitation has been identified at time of analysis, and SSVC signals confirm exploitation status as none.
Denial of service in GoBGP v4.3.0 allows unauthenticated remote attackers to crash or hang BGP speakers by sending a malformed BGP UPDATE message that triggers an integer underflow in the BGPUpdate.DecodeFromBytes parser. The underflow causes uint16 length counters (routelen and pathlen) to wrap to ~65k, leading the parser to silently consume the buffer or fail in ways that disrupt session processing. EPSS is very low (0.04%) and there is no public exploit identified at time of analysis, but the upstream commit demonstrating the bug is publicly visible.
Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-adjacent attackers to trigger high CPU load by sending specially crafted,. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.
Unbounded memory allocation in warmcat libwebsockets up to 4.5.8 allows remote unauthenticated attackers to exhaust server heap resources by sending SSH packets with a crafted oversized `msg_len` value, resulting in denial of service. The vulnerability is confined to deployments using the optional SSH server plugin (`protocol_lws_ssh_base`) and carries a CVSS 5.3 Medium rating with no confidentiality or integrity impact. A public proof-of-concept exploit exists and the CVSS temporal vector confirms exploit availability (E:P) and an official patch (RL:O); no CISA KEV listing indicates no confirmed widespread in-the-wild exploitation as of the analysis date.
Denial-of-service in SolarWinds Web Help Desk allows remote unauthenticated attackers to crash the server by exhausting available memory. The flaw is network-reachable with low attack complexity and requires no privileges or user interaction (CVSS 8.2), and no public exploit identified at time of analysis. The issue was reported by SolarWinds and addressed in the Web Help Desk 2026.2 release.
Dräger Atlan A350 software versions 1.00 through 1.01 contains an improper input handling vulnerability that allows attackers to cause a denial of service by sending specifically crafted. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required.
Dräger Infinity M300 patient worn monitors with software version VG2.x and earlier contain a network-based denial of service vulnerability that allows attackers with access to the hospital or. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Denial-of-service in elixir-tesla Tesla versions 0.6.0 through 1.18.2 allows remote servers to crash or freeze calling Elixir/BEAM processes by returning a tiny gzip- or deflate-encoded response body that decompresses into gigabytes. The flaw lives in Tesla.Middleware.DecompressResponse / Tesla.Middleware.Compression, which eagerly inflated response bodies with no size cap and recursed once per token in the content-encoding header, so a header of 'gzip, gzip, gzip, gzip' produced exponential amplification. No public exploit identified at time of analysis, but the vendor has shipped a patch in 1.18.3 and the CVSS 4.0 score of 8.2 (VA:H) reflects high availability impact.
Denial of service in the Elixir Tesla HTTP client (versions 1.3.0 through 1.18.2) when using the Tesla.Adapter.Mint adapter allows remote attackers to crash the entire BEAM VM by exhausting the atom table. Each request whose URL scheme is attacker-controlled mints a fresh, never-garbage-collected atom via String.to_atom/1, and after roughly 1,048,576 such requests the VM terminates. No public exploit identified at time of analysis, but the upstream fix and a regression test that asserts no atoms are minted for unknown schemes are both publicly visible on GitHub.
Dräger Perseus A500 software versions 2.00 through 2.02 contains an improper input handling vulnerability that allows external attackers to cause a denial of service by sending specifically crafted. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Persistent denial-of-service in wire-ios prior to version 4.16.0 allows any authenticated Wire user to permanently crash the victim's iOS client by sending a single crafted Proteus external message with an encrypted payload shorter than 16 bytes. The crash triggers automatically upon message receipt with no user interaction required, and because the malicious message persists in local storage, the app enters an unrecoverable crash loop on every subsequent relaunch - effectively locking the victim out of the application entirely until local state is wiped. No public exploit code is identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Denial of service in React Router 7.0.0-7.14.x and @remix-run/server-runtime 2.10.0-2.17.4 allows remote unauthenticated attackers to exhaust server resources by sending crafted requests to the __manifest endpoint, which triggers unbounded path expansion. Only applications running in React Router Framework Mode or Remix are affected; Declarative Mode (<BrowserRouter>) and Data Mode (createBrowserRouter) deployments are not. No public exploit identified at time of analysis, and the issue is patched in react-router 7.15.0 and @remix-run/server-runtime 2.17.5.
Client-side Cross-Site Scripting in React Router 7.7.0 through 7.13.1 affects applications using the unstable React Server Components (RSC) APIs, where redirect handling fails to sanitize destinations originating from untrusted sources. An attacker who can influence redirect targets consumed by RSC handlers may inject script payloads that execute in the victim's browser, with no public exploit identified at time of analysis. The advisory is published as GHSA-rxv8-25v2-qmq8 and the issue is fixed in 7.13.2.
Dräger Infinity M300 patient worn monitors with software version VG2.3.1 and earlier contain a network-based denial of service vulnerability that allows network-adjacent attackers to repeatedly. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Local denial of service in NI's NI-PAL kernel driver (versions 26.3.0 and prior on Windows and Linux) allows an authenticated local user to crash the host system by sending malformed input that triggers a NULL pointer dereference in kernel space. No public exploit identified at time of analysis, but the kernel-level impact means a successful trigger takes down the entire host, not just the driver process. The issue is vendor-disclosed by NI with an advisory published on ni.com.
SAML assertion validation in authentik's ResponseProcessor.parse() completely omits verification of the Conditions element, allowing unauthenticated remote attackers (PR:N per CVSS 4.0 vector) to replay expired SAML assertions or submit assertions originally issued for a different service provider. All authentik deployments prior to versions 2025.12.5 and 2026.2.3 that use SAML sources are affected. This is not listed in CISA KEV and no public exploit has been identified at time of analysis, but the low-complexity, network-accessible attack path against a core authentication primitive makes this a meaningful integrity risk in any SAML-federated deployment.
Denial of service in TP-Link Tapo C200 v5 IP cameras allows adjacent network attackers to crash the RTSP service and force a device reboot by sending a crafted Authorization header in an RTSP authentication request. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP authentication handler; no public exploit identified at time of analysis, but vendor-acknowledged and patched firmware is available from TP-Link.
Klaw, Aiven-Open's self-service Apache Kafka topic management portal, is vulnerable to targeted account lockout and Denial of Service via inconsistent case sensitivity handling in its user registration and login mechanisms, affecting all releases prior to v2.10.4. An attacker already holding high-privileged access (PR:H per CVSS vector) can register a username that is a case variant of an existing account, causing the legitimate account to become inaccessible. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS score of 2.7 (Low) accurately reflects the narrow, high-privilege-dependent attack surface.
Memory exhaustion in the Elixir Mint HTTP/2 client (versions 0.1.0 through 1.8.x) allows a malicious or compromised HTTP/2 server to crash the client's BEAM process via a CONTINUATION frame flood. The client's receive path buffers HEADERS and CONTINUATION fragments into an unbounded accumulator because SETTINGS_MAX_HEADER_LIST_SIZE defaulted to :infinity and was only enforced on outbound requests, so a single attacker-controlled endpoint can force unlimited iolist growth until the process dies. No public exploit identified at time of analysis, but a verified upstream patch and detailed advisory exist.
Memory exhaustion in elixir-mint Mint HTTP/2 client (versions 0.2.0 through 1.8.x) allows a malicious HTTP/2 server to crash the client process by flooding PUSH_PROMISE frames without follow-up HEADERS, since reserved stream entries bypass the max_concurrent_streams cap. CVSS 4.0 score is 8.2 with attack vector network and high availability impact, but no public exploit is identified at time of analysis and the bug requires the client to connect to a hostile server. Server push is accepted by default (enable_push=true), so any Mint-based HTTP client reaching an attacker-controlled origin is exposed.
Reachable assertion in SGLang 0.5.10.post1's LoRA adapter scheduler allows a remote unauthenticated attacker to trigger a denial of service via a crafted `lora_path` argument to the inference HTTP endpoint. The root cause is a logic flaw in the batch prefill scheduler: chunked LoRA prefill requests already admitted to the prefill queue are invisible to the LoRA admission check, enabling N+1 distinct adapters to be submitted when `max_loras_per_batch=N`, which forces an assertion failure in `lora_manager.py`. A publicly available proof-of-concept exists (no public exploit identified at time of analysis in the KEV sense), and the CVSS 4.0 score of 2.9 reflects high attack complexity and limited availability impact.
Null pointer dereference in whisper.cpp up to version 1.8.2 allows a local authenticated attacker to crash the application via a crafted input during model loading. The vulnerable code path is the whisper_model_load function within ggml/src/ggml.c, resulting in a limited availability impact (application denial of service) with no confidentiality or integrity consequences. A proof-of-concept exploit is publicly available via a GitHub issue report; however, no vendor patch has been released and the project has not yet responded to the disclosure.
Local privilege escalation and memory corruption in Qualcomm Snapdragon platforms allows an attacker with low-privileged local access to corrupt memory during secure data initialization, leading to high impact on confidentiality, integrity, and availability. The flaw is traceable to a NULL pointer dereference (CWE-476) reachable when heap memory is exhausted, and is addressed in the Qualcomm June 2026 security bulletin. No public exploit identified at time of analysis, and EPSS data was not provided.
Local memory corruption in Qualcomm Snapdragon platforms (CVE-2025-59604) allows a low-privileged local attacker to trigger invalid memory writes via a null pointer condition during a memory copy operation, resulting in high confidentiality, integrity, and availability impact (CVSS 7.8). The flaw is disclosed in the Qualcomm June 2026 security bulletin with no public exploit identified at time of analysis and no CISA KEV listing. While CWE-476 (null pointer dereference) typically yields denial of service, the vendor's CIA:H scoring indicates the invalid writes may be steerable into broader corruption beyond a simple crash.
Denial of service conditions in SourceCodester Customer Review App 1.0 can be triggered by a locally authenticated low-privilege user through crafted input to the add_review, save_review, or get_all_reviews functions in review_app.py. Manipulation of the name or comment arguments causes improper resource shutdown or release (CWE-404), resulting in application unavailability. No public exploit identified at time of analysis has crossed into confirmed active exploitation per CISA KEV, but a publicly available proof-of-concept exists on Pastebin (https://pastebin.com/Ud5vaGp6), lowering the bar for reproduction.
Unauthorized emergency call placement is possible on Google Android 14, 15, 16, and 16-QPR2 due to a logic error in the fixInitiatingUserIfNecessary method of CallIntentProcessor.java. An unauthenticated local actor - requiring no privileges on the device - can exploit this flaw to initiate an emergency call outside of intended user controls. No public exploit has been identified at time of analysis, and SSVC assessment indicates no current exploitation activity.
Local denial of service in Google Android's DevicePolicyManagerService affects Android 14, 15, 16, and 16-qpr2 via improper input validation across multiple service functions. A local attacker with basic user-level privileges can trigger a desynchronization between in-memory and persisted device policy state without requiring user interaction, resulting in high availability impact to the device policy management subsystem. No public exploit has been identified at time of analysis, and SSVC confirms exploitation status as none with non-automatable impact.
Local denial of service in Google Android's contacts subsystem allows a low-privileged local user to crash or destabilize the Contacts provider by inserting an oversized contact name field. Affected platforms include Android 14, 15, 16-qpr2, and 16. No special privileges beyond a standard app context are required, and no user interaction is needed, making this exploitable by any installed app with contacts write access. No public exploit identified at time of analysis.
Integer overflow in Google Android's ubsan_throwing_runtime.cpp enables remote denial of service across Android 14, 15, 16, and 16-qpr2. A network-accessible low-privileged attacker can trigger a process crash through crafted input targeting multiple functions in this runtime component, resulting in complete availability loss with no user interaction required. No public exploit code has been identified at time of analysis, and Google addressed the issue in the June 2026 Android Security Bulletin.
Integer overflow in Android's UBSan throwing runtime (ubsan_throwing_runtime.cpp) enables a local attacker with low privileges to cause a persistent denial of service across Android 14 through Android 16 QPR2. The flaw affects multiple functions within the file and requires no user interaction to trigger, making it exploitable by a malicious on-device application without elevated privileges. No public exploit identified at time of analysis, and the local-only attack vector constrains real-world scope, but the persistent nature of the availability impact elevates operational concern over transient crash-based DoS.
Resource exhaustion in Android's launcher image processing component allows a local low-privileged application to trigger a denial of service condition across Android 14 through 16. The flaw resides in the getPreferredSize method of LauncherProcessImageListener.kt, where uncontrolled resource consumption (CWE-400) can be induced without requiring elevated privileges or user interaction, resulting in high availability impact to the affected device. No public exploit code and no active exploitation have been identified at time of analysis; the CVSS score of 5.5 reflects the local-only attack surface and absence of confidentiality or integrity impact.
Local denial of service in Google Android's DevicePolicyManagerService allows an authenticated local attacker to hide system-critical packages through improper input validation, rendering affected device functionality unavailable. Impacted versions span Android 14, 15, 16, and 16-qpr2, as confirmed in the June 2026 Android Security Bulletin. No public exploit or CISA KEV listing exists at time of analysis, and exploitation requires only low-level local privileges with no user interaction.
Resource exhaustion in Android 14's APK signature verification routine crashes the affected component, resulting in a local denial of service. The flaw resides in the verifySignature method of ApkChecksums.java, where uncontrolled resource consumption (CWE-400) can be triggered by a low-privileged local process with no user interaction required. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Permanent local denial of service in Google Android (versions 14, 15, 16, and 16-qpr2) is possible through a logic error in multiple functions of ubsan_throwing_runtime.cpp, Android's Undefined Behavior Sanitizer throwing runtime. A low-privileged local user can trigger the flaw without any user interaction, causing an unrecoverable availability failure in the affected component - requiring a reboot or process restart to restore normal function. No public exploit code exists and no CISA KEV listing is present at time of analysis, indicating this is not currently under widespread active exploitation.
Persistent local denial of service in Google Android affects the ANGLE graphics driver state management component across Android 14, 15, 16, and 16-qpr2. A low-privileged local process can trigger a persistent DoS condition via the updateState method in GraphicsDriverEnableAngleAsSystemDriverController.java without requiring any user interaction, potentially rendering the device unusable until rebooted. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.
Remote denial of service in Google Android (versions 14, 15, 16, and 16-qpr2) is achievable by an authenticated network attacker exploiting an integer overflow in multiple functions of ubsan_throwing_runtime.cpp. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity network exploitation requiring only low-privilege authentication and no user interaction, resulting in a full availability impact (A:H). No public exploit code or CISA KEV listing has been identified at time of analysis, though the broad version coverage across current and recent Android releases makes this a notable patching priority.
Remote denial-of-service in Google Android's UBSan runtime (ubsan_throwing_runtime.cpp) allows a low-privileged network attacker to crash the system across Android 14, 15, 16, and 16-qpr2. The flaw stems from improper input validation in multiple functions of the Undefined Behavior Sanitizer throwing runtime, a component integrated into Android's native code execution layer. No user interaction is required and no public exploit has been identified at time of analysis; the vulnerability is addressed in the June 2026 Android Security Bulletin.
Remote denial of service in Google Android versions 14, 15, 16, and 16-qpr2 stems from an integer overflow across multiple functions in ubsan_throwing_runtime.cpp, a low-level UBSan instrumentation component. An authenticated attacker with low privileges can trigger a full system crash over the network with no user interaction required, achieving complete availability impact (CVSS A:H) with no confidentiality or integrity risk. No public exploit or CISA KEV listing has been identified at time of analysis, and Google addressed the issue in the June 2026 Android Security Bulletin.