Skip to main content

Denial of Service

other MEDIUM

Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions.

How It Works

Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions. Attackers exploit asymmetry: minimal attacker effort produces disproportionate resource consumption on the target. Application-level attacks use specially crafted inputs that trigger expensive operations—a regex engine processing malicious patterns can backtrack exponentially, or XML parsers recursively expand entities until memory exhausts. Network-level attacks flood targets with connection requests or amplify traffic through reflection, but application vulnerabilities often provide the most efficient attack surface.

The attack typically begins with reconnaissance to identify resource-intensive operations or unprotected endpoints. For algorithmic complexity attacks, adversaries craft inputs hitting worst-case performance—hash collision inputs filling hash tables with collisions, deeply nested JSON triggering recursive parsing, or pathological regex patterns like (a+)+b against strings of repeated 'a' characters. Resource exhaustion attacks open thousands of connections, upload massive files to unbounded storage, or trigger memory leaks through repeated operations. Crash-based attacks target error handling gaps: null pointer dereferences, unhandled exceptions in parsers, or assertion failures that terminate processes.

Impact

  • Service unavailability preventing legitimate users from accessing applications during attack duration
  • Revenue loss from downtime in e-commerce, SaaS platforms, or transaction processing systems
  • Cascading failures as resource exhaustion spreads to dependent services or database connections pool out
  • SLA violations triggering financial penalties and damaging customer trust
  • Security team distraction providing cover for data exfiltration or intrusion attempts running concurrently

Real-World Examples

CVE-2018-1000544 in Ruby's WEBrick server allowed ReDoS through malicious HTTP headers containing specially crafted patterns that caused the regex engine to backtrack exponentially, freezing request processing threads. A single attacker could saturate all available workers.

Cloudflare experienced a global outage in 2019 when a single WAF rule containing an unoptimized regex hit pathological cases on legitimate traffic spikes. The .*(?:.*=.*)* pattern exhibited catastrophic backtracking, consuming CPU cycles across their edge network until the rule was disabled.

CVE-2013-1664 demonstrated XML bomb vulnerabilities in Python's XML libraries. Attackers uploaded XML documents with nested entity definitions-each entity expanding to ten copies of the previous level. A 1KB upload could expand to gigabytes in memory during parsing, crashing applications instantly.

Mitigation

  • Strict input validation enforcing size limits, complexity bounds, and nesting depth restrictions before processing
  • Request rate limiting per IP address, API key, or user session with exponential backoff
  • Timeout enforcement terminating operations exceeding reasonable execution windows (typically 1-5 seconds)
  • Resource quotas limiting memory allocation, CPU time, and connection counts per request or tenant
  • Regex complexity analysis using linear-time algorithms or sanitizing patterns to eliminate backtracking
  • Circuit breakers automatically rejecting requests when error rates or latency thresholds indicate degradation
  • Load balancing and autoscaling distributing traffic across instances with automatic capacity expansion

Recent CVEs (36508)

EPSS 0% CVSS 2.1
LOW POC Monitor

Denial of service vulnerability in Open5GS up to version 2.7.7 affects the NSSF component's service discovery function, allowing remote authenticated attackers to cause availability impact through manipulation of the ogs_sbi_discovery_option_add_service_names function. Public exploit code exists and the vulnerability carries low CVSS score (2.1) reflecting limited impact scope, though the project has not yet responded to early notification.

Denial Of Service Open5gs
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the NSSF (Network Slice Selection Function) component via a crafted PLMN list in the SBI (Service Based Interface) parser. The vulnerability exists in the ogs_sbi_parse_plmn_list function within /lib/sbi/conv.c and has been publicly disclosed with exploit code available; the vendor has not yet released a patch despite early notification.

Denial Of Service Open5gs
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to manipulate the NSSF network selection function via the nssf_nnrf_nsselection_handle_get_from_amf_or_vnssf handler in /src/nssf/nnssf-handler.c, causing service unavailability. Public exploit code exists and the vulnerability has been reported to the project, though no patch has been released as of analysis time.

Denial Of Service Open5gs
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Denial of service in Open5GS up to version 2.7.7 affects the NSSF component's stream identification function in the nghttp2-server library. Local authenticated attackers can manipulate the ogs_sbi_stream_find_by_id function to cause service unavailability. Publicly available exploit code exists, though the vendor has not yet responded to early disclosure notification.

Denial Of Service Open5gs
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in lwjson 1.8.1 streaming parser allows remote unauthenticated attackers to cause indefinite application hang by sending JSON strings containing escaped backslashes followed by quotes (e.g., "text\\\"). The vulnerability stems from flawed end-of-string detection logic in lwjson_stream.c that fails to properly count consecutive backslashes before quote characters. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and no authentication required, this represents a readily exploitable availability risk for applications using lwjson_stream_parse(), though no active exploitation or POC weaponization is confirmed at time of analysis.

Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data to the SMB service on TCP port 445. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Mikrotik
NVD GitHub Exploit-DB
EPSS 2% CVSS 5.3
MEDIUM This Month

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Denial Of Service RCE +1
NVD VulDB
EPSS 2% CVSS 7.8
HIGH This Week

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Denial Of Service RCE +1
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Remote code execution and denial-of-service in dash-uploader Python library allows unauthenticated network attackers to execute arbitrary code or crash applications via malicious file uploads. Versions 0.1.0 through 0.7.0a2 contain flaws in HTTP request handler (httprequesthandler.py), upload function (upload.py), and max_file_size parameter processing (configure_upload.py). Confirmed public exploit code exists (GitHub: a1ohadance/CVE-2026-38361), elevating risk despite CVSS indicating only availability impact - the RCE tag contradicts the CVSS vector's C:N/I:N rating, suggesting incomplete impact assessment. EPSS data unavailable; not in CISA KEV at time of analysis. Affects popular Python file upload component with thousands of monthly downloads per PyPI statistics.

Denial Of Service RCE
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenStack Cyborg before 16.0.1 fails to enforce project ownership in the Accelerator Request (ARQ) API, allowing any authenticated non-admin user to delete, modify, or access ARQs bound to other projects' instances across tenant boundaries. The vulnerability stems from a combination of unpopulated project_id columns, missing database-layer filtering, and self-referential authorization checks, enabling cross-tenant denial of service and potential information disclosure. EPSS risk is moderate (6.3 CVSS), and the vulnerability requires valid authentication but no special privileges or interaction, making it exploitable by any tenant user in multi-tenant OpenStack deployments.

Denial Of Service
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Denial of service in GitHub Enterprise Server allows unauthenticated remote attackers to disrupt service by sending deeply nested JSON payloads to an unprotected API endpoint, causing excessive CPU and memory consumption. Affected versions prior to 3.21 (specifically 3.16.0-3.20.1) lack request size and depth validation. Vendor-released patches available for all affected branches: 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18.

Denial Of Service Enterprise Server
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Allocation amplification in Zebra network deserializers allows unauthenticated remote peers to force excessive memory preallocation and parsing overhead across multiple message types (headers, blocks, transactions) by exploiting the use of generic transport/block-size ceilings instead of protocol-specific limits. An attacker can trigger 8.8x oversized header allocations, unbounded equihash solution parsing, and inflated Sapling spend vector allocations on inbound peer messages, causing denial of service through cumulative per-connection and multi-peer fan-in effects. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible, unauthenticated exploitation of default configurations; no public exploit identified at time of analysis, but vendor-released patch available in Zebra 4.4.0.

Denial Of Service Deserialization
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in Go standard library net/mail package allows remote unauthenticated attackers to exhaust CPU and memory resources via maliciously crafted email addresses or dates. The vulnerability affects ParseAddress, ParseAddressList, and ParseDate functions in Go versions prior to 1.25.10 and 1.26.0-1.26.2. Confirmed actively exploited (CISA KEV status not indicated; exploitation probability 0.02% per EPSS). Vendor-released patches available in Go 1.25.10 and 1.26.3.

Denial Of Service Net Mail
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing maliciously crafted CNAME DNS responses. Remote attackers can trigger double-free of C memory in the cgo DNS resolver's LookupCNAME function by sending excessively long CNAME records, causing immediate denial of service. EPSS score of 0.01% (1st percentile) indicates minimal observed exploitation activity despite network-accessible attack vector and no authentication requirement. Vendor patch available via Go 1.25.10 and 1.26.3.

Denial Of Service Net
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

Microsoft Null Pointer Dereference Denial Of Service
NVD VulDB GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Denial Of Service Golang Org X Net Http2 Net Http
NVD VulDB GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Null pointer dereference in PHP 8.2.x causes denial of service through remote attacks requiring user interaction and persistent attack timing. CVE-2026-7259 is one of eight vulnerabilities patched in PHP 8.2.31, with a low CVSS score (2.1) reflecting the attack complexity and limited availability impact, though the null pointer dereference class (CWE-476) can escalate in severity depending on code context. No public exploit code or active exploitation has been identified at time of analysis.

Denial Of Service Microsoft PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 2.9
LOW PATCH Monitor

PHP 8.2.31 addresses a null pointer dereference vulnerability (CVE-2026-7262) that can cause denial of service through remote network access without authentication. The vulnerability has a low CVSS score of 2.9 due to attack complexity factors, but the vendor has released PHP 8.2.31 as an immediate security patch addressing this and seven related CVEs. All PHP 8.2 users should upgrade to mitigate the impact.

Denial Of Service Microsoft PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Uncontrolled resource consumption in ericmj decimal library (versions 0.1.0 before 3.0.0) allows remote denial of service via maliciously crafted decimal values with extremely large exponents. When applications parse user-supplied decimal input and subsequently perform arithmetic operations, string formatting, rounding, or comparison, the library allocates memory proportional to the exponent magnitude without bounds, exhausting available memory and crashing the BEAM virtual machine. A single malicious request is sufficient to trigger an out-of-memory crash.

Denial Of Service Decimal
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM This Month

Local denial-of-service vulnerability in ZTE Cloud PC client uSmartview allows authenticated local attackers to trigger memory corruption and crash the application through a use of externally-controlled format string (CWE-134). CVSS 4.7 with local attack vector and high complexity indicates limited real-world exploitability; no public exploit identified at time of analysis.

Zte Denial Of Service Buffer Overflow
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory and CPU exhaustion in the Netty MQTT codec (io.netty:netty-codec-mqtt) lets remote unauthenticated attackers send oversized MQTT 5 header Properties that are decoded and buffered before the message size limit is enforced. Because MqttDecoder extends ReplayingDecoder, the enormous Properties section is repeatedly re-parsed and re-buffered until parsing completes, driving an application-availability denial of service. There is no public exploit identified at time of analysis, and EPSS is very low (0.04%), but the flaw is automatable and trivial to trigger against any MQTT 5 broker or client built on Netty.

Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service in vm2 Node.js sandbox allows unauthenticated remote attackers to crash host processes via unbounded Buffer.alloc() calls. The vm2 library's timeout mechanism cannot interrupt synchronous C++ native calls, enabling attackers to bypass configured timeout limits and exhaust host heap memory with a single HTTP request. Version 3.11.0 patches this flaw by introducing bufferAllocLimit controls. Publicly available exploit code exists (GHSA-6785-pvv7-mvg7 includes working POC), and while EPSS data is unavailable and the vulnerability is not listed in CISA KEV, the vendor-confirmed POC demonstrates reliable exploitation against default configurations.

Kubernetes Denial Of Service Docker +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

MongoDB Server 8.2 before version 8.2.7 crashes when an authenticated user supplies an empty pipeline to $rankFusion or $scoreFusion aggregation operators on a view. The server fails to validate that the pipeline array is non-empty before accessing its first element during view resolution, resulting in a null pointer dereference that terminates the mongod process. This denial-of-service condition requires database authentication but can be triggered remotely via aggregation queries.

Denial Of Service Null Pointer Dereference Mongodb Server
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Remote unauthenticated attackers can crash Node.js processes running vm2 <= 3.10.5 by triggering an unhandled Promise rejection that terminates the host application. The vulnerability exploits an incomplete fix for CVE-2026-22709 - while previous patches sanitized `.then()` and `.catch()` callback chains, they failed to intercept unhandled rejections originating from Promise constructor executors. Publicly available exploit code exists (GitHub advisory GHSA-hw58-p9xv-2mjh). The attack requires minimal resources (150-byte HTTP request) but achieves high impact by crashing entire server processes serving all concurrent users, with demonstrated persistent DoS despite container orchestration restart policies.

Kubernetes Denial Of Service Docker +1
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Tor before version 0.4.9.7 crashes due to a NULL pointer dereference when CERT cells are received out of order, causing denial of service against relay nodes and clients. Remote unauthenticated attackers on the network can trigger this crash by sending malformed cell sequences, disabling affected Tor instances. No active exploitation confirmed, but the vulnerability affects core protocol handling in all affected versions.

Denial Of Service Null Pointer Dereference Tor
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Tor before version 0.4.9.7 can crash due to a double-close vulnerability in circuit handling when memory pressure conditions exist on the circuit queue, resulting in denial of service to affected clients. The vulnerability requires specific network conditions (high circuit queue load) to trigger but affects all Tor clients running vulnerable versions. A patch is available in Tor 0.4.9.7 and later.

Denial Of Service Tor
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated remote attackers crash Gotenberg 8.x (≤ 8.31.0) by triggering a race condition between webhook goroutine context reuse and Echo framework connection pooling. When webhook middleware spawns an async goroutine holding an `echo.Context` reference, the synchronous handler returns immediately, recycling the context to Echo's `sync.Pool`. Concurrent requests reset the pooled context, causing unchecked type assertions in the still-running webhook goroutine to panic outside any `recover()` scope, terminating the process with exit code 2. Twenty-four webhook requests plus sixty concurrent GET requests demonstrate reliable two-second crash windows. No patch was available at initial disclosure; upstream commit fixes the panic in version 8.32.0. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects trivial unauthenticated network exploitation producing complete service disruption.

Kubernetes Denial Of Service Python +3
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Decompression bomb protection bypass in Netty's HttpContentDecompressor and DelegatingDecompressorFrameListener allows remote unauthenticated attackers to trigger out-of-memory denial of service by switching Content-Encoding from gzip to brotli, zstd, or snappy. The configured maxAllocation parameter correctly limits gzip/deflate decompression but is silently ignored for these alternative encodings, enabling attackers to decompress gigabytes of data from kilobyte-sized payloads. Affects both HTTP/1.1 (netty-codec-http) and HTTP/2 (netty-codec-http2) implementations. CVSS 7.5 (High) with network vector, low complexity, and no authentication required. Vendor-released patches available: versions 4.1.133.Final and 4.2.13.Final. No active exploitation confirmed at time of analysis, but publicly disclosed proof-of-concept demonstrates trivial header-based bypass requiring only changing 'Content-Encoding: gzip' to 'Content-Encoding: br'.

Denial Of Service Java Python
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory exhaustion in Netty's Lz4FrameDecoder allows remote unauthenticated attackers to cause denial of service by sending minimal malicious data that triggers disproportionate server-side memory allocation. A 22-byte crafted LZ4 frame forces the decoder to allocate up to 32MB of heap memory per request, enabling resource exhaustion attacks against Java applications using Netty's compression codec. Publicly available exploit code exists (PoC published in GitHub advisory GHSA-mj4r-2hfc-f8p6). CVSS 7.5 indicates network-exploitable high-availability impact with no authentication or complexity barriers, though real-world risk depends on whether LZ4 decompression is exposed to untrusted network inputs.

Denial Of Service Java Suse
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Memory exhaustion in Netty HTTP/3 codec allows remote attackers to cause server crash or denial of service through malformed QPACK headers. The vulnerability affects io.netty:netty-codec-http3 versions up to 4.2.12.Final and enables unauthenticated attackers to force gigabyte-scale memory allocations with minimal wire data-a crafted HEADERS frame of just 10 bytes can trigger ~1 GiB allocation. Publicly available exploit code exists (PoC provided in GitHub advisory GHSA-2c5c-chwr-9hqw). CVSS 7.5 (High) reflects network-accessible attack requiring no privileges or user interaction.

Denial Of Service Java
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Improper enforcement of RFC 1035 domain-name constraints in Netty's DNS codec (io.netty.handler.codec.dns.DnsCodecUtil) lets attacker-influenced names bypass validation in both directions: the decoder accepts oversized labels (>63 bytes) and total names (>255 bytes) from malicious DNS responses, growing an unbounded StringBuilder, while the encoder passes through null bytes and over-length labels and silently truncates on empty labels. This affects any Java application using netty-codec-dns or netty-resolver-dns (e.g. DnsNameResolver) up to 4.2.12.Final and 4.1.132.Final, enabling DNS cache poisoning, domain allowlist/validation bypass, and memory-exhaustion denial of service. Publicly available exploit code exists (vendor-supplied encoder and decoder PoCs verified on 4.2.12.Final), but EPSS is very low (0.04%, 13th percentile) and it is not in CISA KEV.

Denial Of Service Java
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Wasmtime's on-demand instance allocator panics when attempting to allocate a WebAssembly table with an extremely large size, triggering arithmetic overflow in checked allocation logic. This denial-of-service condition is exploitable only when the memory64 WebAssembly proposal is enabled (default configuration) and affects versions 30.0.0 through 36.0.7, 37.0.0 through 43.0.1, and unpatched 44.x versions. No public exploit code or active exploitation has been identified; vendor-released patches are available in versions 36.0.8, 43.0.2, and 44.0.1.

Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Regular expression denial of service (ReDoS) in youtube-regex npm package versions ≤1.0.5 allows remote unauthenticated attackers to cause service-level availability degradation through network-delivered crafted inputs. Attackers can trigger catastrophic backtracking in the regex parser, causing CPU exhaustion and application hang. SSVC framework confirms proof-of-concept code exists with automatable exploitation capability. While CVSS rates this high severity (7.5) for availability impact, real-world risk depends on whether the vulnerable package processes untrusted user input in production environments.

Denial Of Service Node.js
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Hono's bodyLimit() middleware fails to reliably enforce maxSize restrictions on chunked or unknown-length HTTP requests (Transfer-Encoding: chunked), allowing oversized payloads to reach application handlers and return HTTP 200 instead of 413 Payload Too Large. Versions prior to 4.12.16 are vulnerable when handlers do not fully read the request body, read only initial chunks before returning, or catch and suppress read errors. This bypasses the documented guarantee that oversized requests are rejected before business logic execution.

Denial Of Service Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

## Summary The device list endpoint accepts user-controlled identifiers in two places that are passed directly as BSON/SQL keys in the database layer without validation: 1. The `name` field of each filter property in the base64-encoded `filter` query parameter. 2. The `sort_by` query parameter. Any authenticated user can craft payloads that cause the aggregation/query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. ## Severity **CVSS 3.1: 6.5 (Medium)** CWE-20 (Improper Input Validation) CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) ## Affected versions ShellHub Community v0.24.1 (validated). All versions sharing the same filter and sort pipeline (`api/store/mongo/query-options.go`). ## Root cause ### Vector 1 - Filter field name `api/store/mongo/query-options.go:140`: ```go conditions = append(conditions, bson.M{param.Name: property}) ``` `param.Name` is the `name` field from the JSON filter supplied by the client. It becomes a BSON map key with no validation, allowing BSON operator names (`$where`, `$ne`, `$or`, `$regex`) and virtual pipeline-computed fields (`namespace`, paths containing `$`) to be injected. ### Vector 2 - Sort-by field Similar pattern in the sort pipeline where the `sort_by` query parameter is used to build `bson.M{"$sort": {sortBy: order}}` without validation. ### Additional observation `fromContains` (`api/store/mongo/internal/filters.go:60-69`) passes user input directly as `$regex` value, which enables blind regex extraction over string fields within the caller's tenant and potential ReDoS amplification on large datasets. ```go func fromContains(value interface{}) (bson.M, error) { switch value.(type) { case string: return bson.M{"$regex": value, "$options": "i"}, nil ``` ## Proof of concept (validated live against v0.24.1) ```bash TOKEN=<valid-user-jwt> # Helper: base64-encode a filter payload encode_filter() { python3 -c 'import json,base64,sys;print(base64.b64encode(json.dumps(json.loads(sys.argv[1])).encode()).decode())' "$1" } # --- Vector 1: filter field injection --- # Baseline: legitimate filter -> 200 F=$(encode_filter '[{"type":"property","params":{"name":"name","operator":"contains","value":"anything"}}]') curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?filter=$F" \ -H "Authorization: Bearer $TOKEN" # HTTP=200 # Exploit 1a: Mongo operator as field name F=$(encode_filter '[{"type":"property","params":{"name":"$where","operator":"contains","value":"x"}}]') curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?filter=$F" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # Exploit 1b: nested object as value F=$(encode_filter '[{"type":"property","params":{"name":"status","operator":"eq","value":{"$ne":"accepted"}}}]') curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?filter=$F" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # Exploit 1c: pipeline-computed field as filter name F=$(encode_filter '[{"type":"property","params":{"name":"namespace","operator":"contains","value":"."}}]') curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?filter=$F" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # --- Vector 2: sort-by injection --- # Baseline: legitimate sort -> 200 curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?sort_by=name" \ -H "Authorization: Bearer $TOKEN" # HTTP=200 # Exploit 2a: Mongo operator as sort field curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?sort_by=\$where" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # Exploit 2b: path containing $ curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?sort_by=_id.%24%24%24" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # Exploit 2c: oversized sort field (no length validation) curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?sort_by=$(python3 -c 'print("A"*5000)')" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # Exploit 2d: non-indexable internal field curl -sS -w "HTTP=%{http_code}\n" "http://target/api/devices?sort_by=tenant_id" \ -H "Authorization: Bearer $TOKEN" # HTTP=500 # --- Repeat to demonstrate no rate limiting --- for i in $(seq 1 20); do curl -sS -o /dev/null -w "%{http_code} " "http://target/api/devices?sort_by=\$where" \ -H "Authorization: Bearer $TOKEN" done # 500 500 500 500 500 500 500 500 500 500 500 500 500 500 500 500 500 500 500 500 ``` **Confirmed field values that trigger 500:** - Filter name: `$where`, `$regex`, `$or`, `$ne`, `remote_addr`, `tenant_id`, `namespace`, any path containing `$` after a `.` - Sort-by: `$where`, `_id.$$$`, `tenant_id`, `password.hash`, overly long strings **Observed response characteristics:** ``` HTTP/1.1 500 Internal Server Error Content-Length: 0 X-Request-Id: <id> ← logged as error in backend ``` Response time 8-18 ms per request, server process stays alive, no degradation across 20 consecutive requests. ## Impact - **Availability (low):** unrestricted HTTP 500 generation by any authenticated caller; log noise, SIEM false-positives, WAF bypass fingerprinting. - **Information disclosure (low):** potential stack trace exposure depending on logger configuration; attacker can fingerprint the underlying MongoDB aggregation pipeline and schema. - **Resource exhaustion (potential):** user-controlled `$regex` value on large tenant datasets enables ReDoS amplification (not reproducible on a 2-device test instance, but attack surface is real on production-scale deployments). - **Forensics difficulty:** unified 500 response makes it hard to distinguish legitimate errors from attacker probes in logs. ## Suggested fix 1. **Allowlist filter and sort field names per collection.** Add a whitelist of allowed `param.Name` and `sort_by` values for each model exposed via filters (`device`, `session`, etc.). Reject anything else with HTTP 400. 2. **Reject BSON operators in field names.** Even if an allowlist is not practical, reject values that: - start with `$` - contain `$` after a `.` - contain characters outside `[A-Za-z0-9_.]` - exceed a reasonable length (e.g., 64 characters) 3. **Validate `value` shape.** For `contains`/`eq`/`ne` operators, reject non-primitive values (objects, arrays of objects). 4. **Catch aggregation errors.** In `api/store/mongo/query-options.go`, wrap pipeline execution and return a typed error that the HTTP layer maps to 400 Bad Request instead of 500. 5. **Limit regex complexity.** In `fromContains`, reject regex values longer than N characters or containing nested quantifiers (`(...)+`, `(...)*`, `(.+)+`, etc.) to mitigate ReDoS.

Denial Of Service Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

## Summary Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread. ## Affected versions All versions of 4.2.x `netty-transport-native-epoll` up to and including 4.2.12.Final ## Fixed in 4.2.13.Final (fix merged into the `4.2` branch via [#16689](https://github.com/netty/netty/pull/16689); release not yet cut as of 2026-04-25). ## Severity **Medium** - Denial of Service (resource exhaustion / CPU spin) **CWE:** CWE-772: Missing Release of Resource after Effective Lifetime ## Description When a TCP connection using Netty's epoll transport has `ALLOW_HALF_CLOSURE` enabled (or is in a half-closed state via the HTTP codec), and the remote peer: 1. Sends a FIN (half-close), causing the server to mark the input as shutdown, then 2. Sends a RST (e.g. by closing with `SO_LINGER=0`) the server-side channel is never closed. This happens because: - `epollOutReady()` is a no-op when there is no pending flush. - `epollInReady()` short-circuits via `shouldBreakEpollInReady()` because input is already marked as shutdown. - The `EPOLLERR`/`EPOLLHUP` error condition is therefore never processed, and `channelInactive` is never fired. Depending on the Netty version and configuration, this results in: - **Stale channels**: The connection is never closed or deregistered. An unauthenticated remote attacker can repeat the sequence to accumulate stale connections, exhausting file descriptors, memory, or connection-count limits. - **CPU busy-loop**: In code paths where `clearEpollIn0()` is not called during the `ChannelInputShutdownReadComplete` event, `epoll_wait` returns immediately on every iteration for the affected fd, causing 100% CPU utilization on the event loop thread and starving all other connections multiplexed on it. ## Mitigation - Upgrade to 4.2.13.Final when released (or build from the `4.2` branch at commit [`0ec3d97`](https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d)). - If upgrading is not immediately possible, configure idle timeouts on connections to limit the lifetime of stale channels. ## Resources - Issue: https://github.com/netty/netty/issues/16683 - Fix: https://github.com/netty/netty/pull/16689

Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

### Summary Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a `StackOverflowException`, which is not catchable by user code and terminates the process. ### Impact Applications are impacted if they deserialize MessagePack data from untrusted or attacker-controlled sources using Nerdbank.MessagePack and the target type contains a `DateTime` value. A small malicious payload can cause process termination, resulting in a denial of service. This may affect services, APIs, workers, message consumers, or other long-running processes that deserialize untrusted MessagePack input. The issue occurs because DateTime timestamp extension decoding derives `tokenSize` from the attacker-controlled extension length before validating that the timestamp length is one of the legal MessagePack timestamp sizes: 4, 8, or 12 bytes. When the buffer is incomplete, that unvalidated size is propagated to the streaming reader slow path, where it is used in a `stackalloc`. ### Patches The 1.1.62 version contains the fix for this security vulnerability. ### Workarounds If upgrading is not yet possible, avoid deserializing untrusted MessagePack payloads into type graphs that may contain `DateTime` fields or properties. Input byte-size limits alone may not fully mitigate this issue, because the malicious payload can be small while declaring a very large extension length. Possible mitigations include: - Pre-validating MessagePack extension headers before deserialization and rejecting timestamp extensions whose length is not 4, 8, or 12 bytes. - Rejecting or filtering extension type `-1` timestamp values from untrusted input unless they are known to be valid. - Running deserialization of untrusted payloads in an isolated process that can be safely restarted after termination. - Restricting MessagePack deserialization to trusted producers until a patched version is available. ### Resources - CWE-789: Uncontrolled Memory Allocation: https://cwe.mitre.org/data/definitions/789.html - MessagePack timestamp extension specification: https://github.com/msgpack/msgpack/blob/master/spec.md#timestamp-extension-type

Denial Of Service Deserialization
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

CPU exhaustion in python-multipart allows remote unauthenticated attackers to cause denial of service through crafted multipart/form-data requests with unbounded header blocks. Applications using Starlette, FastAPI, or other ASGI frameworks that parse attacker-controlled file uploads are vulnerable to worker thread starvation and event-loop blocking. Vendor-released patch available in version 0.0.27, which enforces default limits on both header count and individual header size during multipart parsing.

Denial Of Service Python
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

### Summary The `extract_hidden_states` speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a `RuntimeError` that crashes the EngineCore process. The crash is triggered when any request in the batch uses sampling penalty parameters (`repetition_penalty`, `frequency_penalty`, or `presence_penalty`). A single request with a penalty parameter (e.g., `"repetition_penalty": 1.1`) is sufficient to crash the server. The crash is deterministic and immediate - no concurrency, race condition, or special workload is required. ### Details In vLLM v0.17.0, the `extract_hidden_states` proposer's `propose()` method returned `sampled_token_ids.unsqueeze(-1)`, producing a tensor of shape `(batch_size, 1)`. In [PR #37013](https://github.com/vllm-project/vllm/pull/37013) (first released in v0.18.0), the KV connector interface was refactored out of `propose()`. The return type changed from `tuple[Tensor, KVConnectorOutput | None]` to `Tensor`, and the `.unsqueeze(-1)` call was removed along with the KV connector output: ```python # Before (v0.17.0): return sampled_token_ids.unsqueeze(-1), kv_connector_output # shape (batch_size, 1) # After (v0.18.0+): return sampled_token_ids # shape (batch_size, 2) after first decode step ``` The refactor missed that `sampled_token_ids` changed semantics between the first and subsequent decode steps. After the first decode step, the rejection sampler allocates its output as `(batch_size, max_spec_len + 1)`. With `num_speculative_tokens=1`, this produces shape `(batch_size, 2)` instead of the expected `(batch_size, 1)`, causing a broadcast shape mismatch during penalty application. ### Impact Any vLLM deployment between v0.18.0 and v0.19.1 (inclusive) configured with `extract_hidden_states` speculative decoding is affected. A single API request containing any penalty parameter immediately and permanently crashes the EngineCore process, resulting in complete loss of service availability. ### Patches Fixed in [PR #38610](https://github.com/vllm-project/vllm/pull/38610), first included in vLLM v0.20.0. The fix slices the return value to `sampled_token_ids[:, :1]`, ensuring the correct `(batch_size, 1)` shape regardless of the rejection sampler's output dimensions. ### Workarounds - Upgrade to vLLM v0.20.0 or later. - If upgrading is not possible, avoid using `extract_hidden_states` as the speculative decoding method on affected versions. - Alternatively, reject or strip penalty parameters (`repetition_penalty`, `frequency_penalty`, `presence_penalty`) from incoming requests at an API gateway before they reach vLLM.

Python Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Granian worker process aborts when a WSGI application returns invalid HTTP response header names or values due to unhandled panic in the header conversion path. An attacker who can influence WSGI application output, such as by injecting user-controlled data into response headers like Location or Content-Disposition, can trigger worker process denial of service. The vulnerability affects Granian versions 0.2.0 through 2.7.3; patch available in version 2.7.4. Proof of concept demonstrates crashes via headers containing spaces, CRLF injection, or null bytes.

Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Granian ASGI server suffers remote denial of service when unauthenticated attackers send malformed WebSocket upgrade requests containing non-ASCII bytes in the Sec-WebSocket-Protocol header, causing worker process termination. Each crafted request kills one worker process; sequential requests across all workers achieve complete service outage. The vulnerability exists in Granian's pre-application WebSocket scope construction (src/asgi/utils.rs), making application-layer defenses ineffective. Publicly available exploit code exists with complete proof-of-concept demonstrating the attack. Vendor-released patch 2.7.4 addresses the issue for affected versions 1.2.0 through 2.7.3.

Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Infinite loop denial-of-service in Snappier .NET library allows remote attackers to exhaust server resources with as few as 15 bytes of malformed Snappy-compressed data. The vulnerability affects the SnappyStream decompressor component when processing framed-format streams, causing an uncatchable busy-loop that cannot be interrupted via try/catch blocks. Publicly available exploit code exists (CVE researcher provided a working proof-of-concept). CVSS 7.5 with network vector and no authentication required indicates remotely exploitable attack surface in web applications processing compressed uploads or API payloads. No active exploitation confirmed at time of analysis, but the trivial exploit complexity (15-byte payload) makes this attractive for resource exhaustion attacks against .NET services using Snappier for decompression.

Denial Of Service
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Man-in-the-middle attacks and denial of service against SUSE Harvester (SUSE Virtualization) affect all versions prior to 1.8.0 due to disabled TLS certificate verification in the Rancher integration registration client. Network-positioned attackers can intercept cluster registration traffic to steal credentials or trigger memory buffer overflow crashes. The vulnerability is limited to the initial cluster registration phase and does not affect ongoing operational connectivity between Harvester and Rancher Manager. Vendor-released patch available in version 1.8.0 with full certificate validation enabled by default. No active exploitation confirmed; no public exploit code identified at time of analysis.

Denial Of Service Buffer Overflow Suse
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated remote denial-of-service in Micronaut Framework 4.3.0–4.10.21 allows heap exhaustion via crafted Accept-Language headers. The TimeConverterRegistrar component caches DateTimeFormatter instances in an unbounded ConcurrentHashMap keyed by @Format pattern plus locale. Attackers exploit BCP 47 private-use extensions (e.g., en-x-0001, en-x-0002) to generate millions of unique cache entries, consuming 500+ MB per 100,000 requests until JVM crashes with OutOfMemoryError. Publicly available exploit code exists (PoC provided in advisory). EPSS score not yet available for this 2026 CVE. Affects all Micronaut HTTP servers using documented @Format temporal parameter binding—a first-class framework feature requiring no special configuration. Vendor-released patch: 4.10.22 fixes both this and sibling vulnerability GHSA-3rfq-4wpf-qqw3 in ResourceBundleMessageSource. Structurally identical to previously patched GHSA-2hcp-gjrf-7fhc but in different component.

Denial Of Service Java
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Memory exhaustion in Micronaut Core's ResourceBundleMessageSource allows unauthenticated remote attackers to exhaust heap memory by sending HTTP requests with crafted Accept-Language headers that populate an unbounded bundleCache. Vulnerable applications must explicitly register a ResourceBundleMessageSource bean and serve HTML error responses; each unique locale value creates a persistent cache entry (100-200 bytes for non-matching locales, or several KB if bundles match), and sustained attack over thousands of requests causes gradual heap degradation with partial availability impact (CVSS 3.7, AC:H). The sibling messageCache is properly bounded at 100 entries, but bundleCache uses an uncontrolled ConcurrentHashMap, allowing unbounded growth keyed by (Locale, baseName) pairs derived from untrusted HTTP headers.

Denial Of Service Java
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Path traversal in GitPython versions ≤3.1.47 enables arbitrary file write and deletion outside repository boundaries when applications pass attacker-controlled reference paths to reference creation, rename, or delete operations. A fully-functional proof-of-concept demonstrates successful exploitation by crafting reference names with '../../../' sequences to escape the `.git` directory and manipulate files with the process owner's permissions. Applications exposing GitPython reference APIs to user input-particularly Git automation services, CI/CD pipelines, and multi-tenant developer platforms-are at immediate risk, as no authentication is required at the library boundary. Fixed in version 3.1.48 per GitHub advisory GHSA-7545-fcxq-7j24.

Python Denial Of Service Path Traversal +2
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote unauthenticated attackers can trigger memory exhaustion and process-level denial of service in Node.js applications using basic-ftp by sending unterminated FTP multiline control responses during initial connection. The vulnerability occurs in the client library when connecting to malicious or compromised FTP servers, causing unbounded buffer growth in _partialResponse with repeated CPU-intensive reparsing. This affects automated FTP integrations for scheduled imports, customer-provided endpoints, backup jobs, and CI/CD pipelines. Publicly available exploit code exists per GitHub security advisory GHSA-rpmf-866q-6p89. CVSS 7.5 HIGH with network attack vector, low complexity, and no authentication required confirms practical remote exploitation risk.

Denial Of Service Node.js
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution within Chrome's sandbox allows arbitrary code execution via a malicious HTML page exploiting a use-after-free vulnerability in WebRTC. Affects Chrome versions prior to 148.0.7778.96. Despite high CVSS 8.8 scoring and RCE capability, exploitation requires user interaction (visiting a crafted page) and is confined to Chrome's sandbox, limiting system-level impact. Vendor patch released in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV) or public POC at time of analysis, though Chromium security team rated this as Low severity internally, suggesting limited real-world exploitability despite the technical impact.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome on macOS versions prior to 148.0.7778.96 enables attackers to execute arbitrary code within the browser's sandbox through a malicious HTML page exploiting a use-after-free vulnerability in the Audio subsystem. The vulnerability requires user interaction (visiting a crafted webpage) but no authentication, with CVSS 8.8 rating reflecting high impact across confidentiality, integrity, and availability. Google has released patches in Chrome 148.0.7778.96; no active exploitation (KEV) or public POC has been identified at time of analysis, though the technical details are publicly accessible via Chromium issue tracker 495779613.

Denial Of Service Use After Free Memory Corruption +5
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome prior to 148.0.7778.96 on Linux, Mac, and ChromeOS allows remote attackers who have already compromised the renderer process to break out of Chrome's sandbox via a crafted HTML page exploiting a use-after-free vulnerability in the printing subsystem. Despite the 8.3 CVSS score, Chromium rates this Low severity because exploitation requires a two-stage attack chain (initial renderer compromise followed by sandbox escape). Vendor patch released as Chrome 148.0.7778.96. No evidence of active exploitation or public POC identified at time of analysis.

Google Denial Of Service Use After Free +4
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome prior to 148.0.7778.96 through a use-after-free vulnerability in the UI component. Attackers who have already compromised the renderer process can escape sandbox restrictions and execute arbitrary code by delivering a specially crafted HTML page requiring user interaction. Google has released patch version 148.0.7778.96. No active exploitation confirmed in CISA KEV at time of analysis, though the vulnerability requires prior renderer compromise which increases attack complexity beyond the CVSS AC:L rating suggests.

Denial Of Service Use After Free Memory Corruption +5
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's WebRTC component (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free memory corruption vulnerability via a malicious HTML page. While sandboxed, successful exploitation achieves high confidentiality, integrity, and availability impact within the renderer process. EPSS data unavailable; not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis. Vendor patch released as Chrome 148.0.7778.96.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's GPU component affects versions prior to 148.0.7778.96. An attacker who has already compromised the renderer process can escalate privileges to break out of Chrome's sandbox by exploiting a use-after-free memory corruption vulnerability via a specially crafted HTML page. This requires high attack complexity and user interaction (visiting a malicious page). No active exploitation confirmed at time of analysis, and vendor-released patch (version 148.0.7778.96) is available. EPSS data not provided, but the combination of network vector, changed scope (S:C in CVSS), and sandbox escape capability makes this a priority update for Chrome deployments despite Chromium's 'Medium' internal severity rating.

Google Denial Of Service Use After Free +4
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's ReadingMode component (versions prior to 148.0.7778.96) allows attackers who have already compromised the renderer process to escape sandbox restrictions and execute arbitrary code on the underlying system. The vulnerability requires user interaction to visit a malicious webpage but exploitation complexity is low once renderer compromise is achieved. EPSS data not available; no CISA KEV listing identified at time of analysis, indicating no confirmed widespread exploitation. Vendor-released patch available in Chrome 148.0.7778.96.

Denial Of Service Use After Free Memory Corruption +5
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's WebAudio implementation (versions before 148.0.7778.96) allows attackers to execute arbitrary code within the browser sandbox by exploiting a use-after-free vulnerability through a malicious HTML page. The vulnerability requires user interaction (visiting a crafted page) but no authentication. Google has released Chrome 148.0.7778.96 to address this issue. EPSS data not available; no KEV listing or public POC identified at time of analysis, suggesting limited real-world exploitation observed despite the high CVSS score.

Denial Of Service Use After Free Memory Corruption +5
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.96 via malicious extension exploitation of use-after-free in Views component. Successful exploitation requires convincing a user to install a crafted Chrome extension, after which the attacker can execute arbitrary code with Chrome's privileges. Google has released Chrome 148.0.7778.96 to address this vulnerability. No evidence of active exploitation (not listed in CISA KEV) or public proof-of-concept code identified at time of analysis. CVSS 7.5 severity driven by high attack complexity and required user interaction, which moderates real-world exploitation risk despite potential for full system compromise.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's DevTools component allows attackers who have already compromised the renderer process to break out of the browser sandbox and execute code on the underlying system. Affects all Chrome versions prior to 148.0.7778.96. Google has released version 148.0.7778.96 to patch this vulnerability. The attack requires high complexity and user interaction (visiting a malicious page), but successful exploitation enables complete system compromise with changed scope (S:C in CVSS vector), escalating from renderer-level access to full system access. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the Blink rendering engine through a specially crafted HTML page. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious webpage). EPSS data not available. Not listed in CISA KEV at time of analysis. Vendor-released patch available in Chrome 148.0.7778.96.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the TopChrome component. Attack requires user interaction with a malicious HTML page and has high attack complexity. EPSS data not available; no active exploitation confirmed at time of analysis. Vendor-released patch available in Chrome 148.0.7778.96.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free vulnerability in the Navigation component. This requires user interaction with a malicious HTML page and successful renderer compromise as a prerequisite, making it a two-stage attack requiring high attack complexity. Vendor-released patch available in Chrome 148.0.7778.96. No public exploit or active exploitation (CISA KEV) identified at time of analysis. CVSS 8.3 (High) reflects the severe post-compromise impact (sandbox escape enabling system-level access), but real-world risk depends heavily on successful initial renderer compromise.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use-after-free in Chrome's V8 JavaScript engine enables remote code execution inside the sandbox when users install a malicious extension. Google Chrome versions prior to 148.0.7778.96 are vulnerable to arbitrary code execution through specially crafted Chrome Extensions exploiting memory corruption in V8. CVSS rates this 8.8 (High) with network attack vector requiring user interaction. Vendor-released patch available in Chrome 148.0.7778.96 per Google's May 2026 stable channel update. EPSS and KEV data not provided; exploitation requires social engineering to install malicious extension, limiting automated exploitation scenarios.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome before 148.0.7778.96 allows unauthenticated attackers to execute arbitrary code within the Chrome sandbox by exploiting a use-after-free vulnerability in the CSS rendering engine through a malicious webpage. Requires victim interaction (visiting attacker-controlled page) but needs no authentication. Vendor-released patch available as Chrome 148.0.7778.96. EPSS score not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis, though browser vulnerabilities are high-value targets.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome's MediaRecording component (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code when victims perform specific UI interactions with a malicious webpage. The use-after-free vulnerability in memory management has been patched by Google in version 148.0.7778.96. EPSS data not available; no CISA KEV listing identified, suggesting no confirmed widespread exploitation at time of analysis, though publicly available exploit code exists per Chromium bug tracker disclosure.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome for Windows below version 148.0.7778.96 allows unauthenticated attackers to execute arbitrary code within Chrome's sandbox via specially crafted HTML pages exploiting a use-after-free vulnerability in the WebRTC implementation. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided, but Google's 'High' severity classification and immediate patch release indicate active concern. No CISA KEV listing or public POC identified at time of analysis, though the vulnerability is already patched.

Denial Of Service Microsoft Use After Free +6
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome prior to version 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the Presentation API through a specially crafted HTML page. User interaction is required (visiting a malicious webpage). EPSS data not available for this recent CVE. No public exploit confirmed at time of analysis, though the vulnerability has been patched by Google in the stable channel release.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free memory corruption in Chrome Remote Desktop (Chromoting) on Windows enables local privilege escalation to SYSTEM via malicious file interaction. Attackers with local access can gain OS-level administrative control by inducing users to open specially crafted files processed by the Chromoting component. Patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV), but the local attack vector with low complexity and high impact warrants immediate patching for Windows Chrome deployments, especially in multi-user environments where privilege boundaries are critical.

Denial Of Service Microsoft Use After Free +6
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome via ServiceWorker use-after-free allows remote attackers to break out of Chrome's security sandbox through a specially crafted HTML page. Affects all Chrome versions prior to 148.0.7778.96. EPSS data not yet available for this recent CVE. Google has released a patch in version 148.0.7778.96. While rated high severity by Chromium project, the attack complexity is high (AC:H) and requires user interaction (UI:R), limiting widespread exploitation risk despite the critical scope change (S:C) indicating sandbox escape capability.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome prior to 148.0.7778.96 enables attackers to execute arbitrary code by exploiting a use-after-free vulnerability in the Passwords component through a malicious HTML page. User interaction (visiting the crafted page) is required. CVSS score of 8.8 reflects network-based attack requiring no authentication but requiring user interaction, with high impact to confidentiality, integrity, and availability. Vendor patch available in Chrome 148.0.7778.96. No public exploitation confirmed at time of analysis.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the Skia graphics library. Exploitation requires user interaction with a malicious HTML page and successful prior renderer compromise, representing a second-stage attack rather than initial access. No active exploitation confirmed (not in CISA KEV), though the vulnerability's sandbox escape capability makes it valuable for targeted attack chains.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 enables remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox through a use-after-free vulnerability in the Aura UI framework. The attack requires user interaction with a malicious webpage and presents high attack complexity, but successfully chains renderer compromise with sandbox escape to achieve full system impact. No active exploitation confirmed (not in CISA KEV), though this vulnerability class is frequently targeted given Chrome's wide deployment and the high value of sandbox escapes.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's GPU component prior to version 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free memory corruption vulnerability triggered by a malicious web page. This represents a critical second-stage attack where initial renderer compromise is chained with GPU exploitation to achieve full system access. Vendor-released patch available in Chrome 148.0.7778.96. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome on Windows allows attackers who have already compromised the renderer process to break out of Chrome's security sandbox via a use-after-free flaw in the Fullscreen API. Affects Chrome versions prior to 148.0.7778.96 on Windows platforms. Google has released a patch (version 148.0.7778.96) and rated this High severity. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code at time of analysis, though the vulnerability requires initial renderer compromise making it a second-stage exploitation vector.

Denial Of Service Microsoft Use After Free +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome for Windows versions prior to 148.0.7778.96 allows remote attackers who have already compromised the renderer process to break out of the Chrome sandbox via a use-after-free vulnerability in the Aura UI framework. The attack requires user interaction with a specially crafted HTML page and has high attack complexity (AC:H), but grants complete control over confidentiality, integrity, and availability with changed scope (S:C). No active exploitation confirmed in CISA KEV at time of analysis. EPSS data not provided, but the vulnerability targets a browser component with over 3 billion users globally.

Denial Of Service Microsoft Use After Free +5
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Use-after-free in the Views component of Google Chrome versions prior to 148.0.7778.96 enables site isolation bypass after renderer compromise. A remote attacker who has already compromised the renderer process can escape sandbox protections via a malicious HTML page, potentially accessing cross-origin data or executing code outside the renderer sandbox. Patch released by Google in version 148.0.7778.96. EPSS score of 0.02% (3rd percentile) indicates very low probability of exploitation in the wild currently, with no evidence of active exploitation or public proof-of-concept at time of analysis.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome versions prior to 148.0.7778.96 allows remote attackers to break out of the browser's security sandbox through a use-after-free vulnerability in the Fullscreen API component. Attackers can deliver exploitation via a specially crafted HTML page requiring only user visit to the page (no additional interaction). With CVSS 9.6 (Critical) and scope change indicating containment breach, this represents a serious risk to browser security model integrity. No evidence of active exploitation (not in CISA KEV) and EPSS data not available at time of analysis.

Google Denial Of Service Use After Free +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution within Chrome's sandbox affects all versions prior to 148.0.7778.96 via crafted HTML pages exploiting a use-after-free vulnerability in DOM handling. Remote unauthenticated attackers can achieve arbitrary code execution with high integrity and confidentiality impact by convincing users to visit a malicious webpage. Vendor patch released (Chrome 148.0.7778.96). No confirmed active exploitation (not in CISA KEV), but the low attack complexity (AC:L) and publicly disclosed bug tracker entry (Chromium issue 496292089) increase exploitation risk. EPSS data not provided but RCE in widely-deployed browser warrants immediate patching despite sandbox containment limiting full system compromise.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome versions prior to 148.0.7778.96 allows attackers to execute arbitrary code within the browser's sandbox through a use-after-free vulnerability in SVG rendering. User interaction (visiting a malicious webpage) is required, but no authentication is needed. Vendor-released patch available in Chrome 148.0.7778.96. No public exploit identified at time of analysis, though CVSS score of 8.8 reflects high impact if successfully exploited.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome for macOS (versions prior to 148.0.7778.96) allows attackers to execute arbitrary code within the browser's sandbox by exploiting a use-after-free vulnerability in the ANGLE graphics library through a malicious HTML page. The vulnerability requires user interaction (visiting a crafted webpage) but can be exploited remotely without authentication. Google has released Chrome 148.0.7778.96 to address this high-severity memory corruption issue, which affects the confidentiality, integrity, and availability of sandboxed browser processes.

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Chromoting component (remote desktop feature) on Linux allows unauthenticated attackers to execute arbitrary code through specially crafted network packets when a user interacts with a malicious remote desktop session. Fixed in Chrome 148.0.7778.96. Vendor rates severity as Critical. No public exploit code identified at time of analysis, but the use-after-free class (CWE-416) is well-understood and exploitable. CVSS 8.8 reflects network attack vector with low complexity requiring only user interaction, enabling full system compromise (high confidentiality, integrity, and availability impact).

Denial Of Service Use After Free Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome for iOS prior to version 148.0.7778.96 through use-after-free memory corruption in the mobile UI handler. Exploitation requires convincing a user to perform specific UI gestures while viewing a malicious HTML page. Google confirms Critical severity and has released a patched version. EPSS data unavailable; not currently listed in CISA KEV. Attack complexity is rated High due to the required user interaction pattern, limiting opportunistic exploitation but enabling targeted attacks via social engineering.

Denial Of Service Use After Free Memory Corruption +6
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

### Impact Anyone trying to generate a prime and testing the primality of a number. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service
NVD GitHub
HIGH PATCH This Week

Malformed reference links in Mistune 3.2.0 trigger algorithmic complexity attacks in the parse_link_title() function, causing 100% CPU consumption and permanent process hangs. The vulnerability affects Python applications processing untrusted Markdown content, enabling remote denial-of-service through minimal-size payloads (the provided POC is under 200 bytes). A publicly available proof-of-concept demonstrates consistent exploitation discovered via coverage-guided fuzzing. Vendor patch 3.2.1 addresses the issue by implementing parsing limits and defensive checks.

Suse Denial Of Service Python
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Regular Expression Denial of Service in mistune's link title parser enables attackers to freeze Python applications with 58-byte Markdown payloads. The LINK_TITLE_RE regex in mistune 3.0.0a1 through 3.2.0 exhibits catastrophic backtracking (O(2^N) time complexity) when parsing link titles with repeated escaped punctuation patterns, blocking a parser thread for approximately 6 seconds on modern hardware with exponential growth per additional byte pair. Publicly available exploit code exists (demonstrated in the GitHub advisory with working PoC), enabling trivial weaponization against web applications, documentation systems, Jupyter tooling, and API endpoints that process user-supplied Markdown. CVSS 8.7 (CVSS:4.0/AV:N/AC:L/PR:N/UI:N/VA:H) reflects the network-accessible, zero-prerequisite nature of the attack, though the High availability impact assumes single-threaded parsing or resource-constrained environments.

Denial Of Service Apple Python
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in React Server Components (react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack) versions 19.0.0-19.0.5, 19.1.0-19.1.6, and 19.2.0-19.2.5 allows unauthenticated remote attackers to crash servers, trigger out-of-memory exceptions, or exhaust CPU resources by sending specially crafted HTTP requests to server function endpoints. The CVSS 7.5 score reflects network-accessible, low-complexity exploitation requiring no privileges or user interaction, with high availability impact. No public exploit code or active exploitation confirmed at time of analysis, though EPSS data unavailable and vulnerability disclosed by Meta directly.

Denial Of Service Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC This Week

Denial of service in Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) allows remote unauthenticated attackers to exhaust connection resources by flooding the system with connection requests, forcing a manual reboot to restore service. CVSS 7.5 (High) with network vector and no authentication required. No public exploit code identified at time of analysis, and EPSS data not available. The vulnerability stems from inadequate rate-limiting on incoming connections (CWE-400), affecting critical network orchestration infrastructure used for automation and service provisioning.

Denial Of Service Cisco
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Cisco SG350 and SG350X managed switches can be remotely crashed via crafted SNMP requests, forcing unexpected device reloads. Authenticated attackers with valid SNMP credentials (read-only or read-write community strings for SNMPv1/v2c, or user credentials for SNMPv3) can trigger a heap-based buffer overflow in SNMP response parsing. Cisco confirmed this vulnerability affects all three SNMP versions (v1, v2c, v3) and published advisory cisco-sa-sg350-snmp-dos-GEFZr2Tj. EPSS and KEV status not provided in available data; exploitation requires network access with low complexity but does require valid SNMP authentication.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Type confusion in Qt SVG renderer allows remote denial of service through malicious SVG images. Attackers can craft SVG files with self-referencing marker elements that trigger out-of-bounds heap reads and infinite recursion, crashing applications that parse the SVG. Affects Qt 6.7.0-6.8.7 and 6.9.0-6.11.0. Vendor patch available via code review platform. CVSS 8.7 reflects network delivery vector with no authentication required, though actual exploitation requires victim to open or render the crafted SVG file.

Denial Of Service Memory Corruption Suse +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: fs/buffer: add alert in try_to_free_buffers() for folios without buffers try_to_free_buffers() can be called on folios with no buffers attached when filemap_release_folio() is invoked on a folio belonging to a mapping with AS_RELEASE_ALWAYS set but no release_folio operation defined. In such cases, folio_needs_release() returns true because of the AS_RELEASE_ALWAYS flag, but the folio has no private buffer data. This causes try_to_free_buffers() to call drop_buffers() on a folio with no buffers, leading to a null pointer dereference. Adding a check in try_to_free_buffers() to return early if the folio has no buffers attached, with WARN_ON_ONCE() to alert about the misconfiguration. This provides defensive hardening.

Denial Of Service Null Pointer Dereference Linux +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Null pointer dereference in the AMD GPU (amdgpu) DRM subsystem can cause denial of service when the SDMA block is disabled and buffer_funcs initialization is skipped, allowing local authenticated users to crash the kernel via uninitialized function pointer access.

Denial Of Service Null Pointer Dereference Linux +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

NULL pointer dereference in the Linux kernel's amdgpu RAS (Reliability, Availability, and Serviceability) driver crashes the kernel when a local user reads the sysfs badpages interface on a system whose AMD GPU EEPROM contains only invalid address entries. The driver skips RAS data allocation under this condition, and the subsequent read of `amdgpu_ras_sysfs_badpages_read` dereferences the uninitialized pointer, producing a kernel panic and complete denial of service. No public exploit exists and no active exploitation has been identified; EPSS is 0.02% (4th percentile), reflecting very low real-world risk.

Denial Of Service Null Pointer Dereference Ubuntu +1
NVD VulDB
Prev Page 29 of 406 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
36508

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy