Skip to main content

Denial of Service

other MEDIUM

Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions.

How It Works

Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions. Attackers exploit asymmetry: minimal attacker effort produces disproportionate resource consumption on the target. Application-level attacks use specially crafted inputs that trigger expensive operations—a regex engine processing malicious patterns can backtrack exponentially, or XML parsers recursively expand entities until memory exhausts. Network-level attacks flood targets with connection requests or amplify traffic through reflection, but application vulnerabilities often provide the most efficient attack surface.

The attack typically begins with reconnaissance to identify resource-intensive operations or unprotected endpoints. For algorithmic complexity attacks, adversaries craft inputs hitting worst-case performance—hash collision inputs filling hash tables with collisions, deeply nested JSON triggering recursive parsing, or pathological regex patterns like (a+)+b against strings of repeated 'a' characters. Resource exhaustion attacks open thousands of connections, upload massive files to unbounded storage, or trigger memory leaks through repeated operations. Crash-based attacks target error handling gaps: null pointer dereferences, unhandled exceptions in parsers, or assertion failures that terminate processes.

Impact

  • Service unavailability preventing legitimate users from accessing applications during attack duration
  • Revenue loss from downtime in e-commerce, SaaS platforms, or transaction processing systems
  • Cascading failures as resource exhaustion spreads to dependent services or database connections pool out
  • SLA violations triggering financial penalties and damaging customer trust
  • Security team distraction providing cover for data exfiltration or intrusion attempts running concurrently

Real-World Examples

CVE-2018-1000544 in Ruby's WEBrick server allowed ReDoS through malicious HTTP headers containing specially crafted patterns that caused the regex engine to backtrack exponentially, freezing request processing threads. A single attacker could saturate all available workers.

Cloudflare experienced a global outage in 2019 when a single WAF rule containing an unoptimized regex hit pathological cases on legitimate traffic spikes. The .*(?:.*=.*)* pattern exhibited catastrophic backtracking, consuming CPU cycles across their edge network until the rule was disabled.

CVE-2013-1664 demonstrated XML bomb vulnerabilities in Python's XML libraries. Attackers uploaded XML documents with nested entity definitions-each entity expanding to ten copies of the previous level. A 1KB upload could expand to gigabytes in memory during parsing, crashing applications instantly.

Mitigation

  • Strict input validation enforcing size limits, complexity bounds, and nesting depth restrictions before processing
  • Request rate limiting per IP address, API key, or user session with exponential backoff
  • Timeout enforcement terminating operations exceeding reasonable execution windows (typically 1-5 seconds)
  • Resource quotas limiting memory allocation, CPU time, and connection counts per request or tenant
  • Regex complexity analysis using linear-time algorithms or sanitizing patterns to eliminate backtracking
  • Circuit breakers automatically rejecting requests when error rates or latency thresholds indicate degradation
  • Load balancing and autoscaling distributing traffic across instances with automatic capacity expansion

Recent CVEs (36442)

EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial-of-service in Juniper Junos OS on EX4100 and EX4400 Series switches allows an unauthenticated adjacent attacker to exhaust packet-forwarding-engine memory and crash the Flexible PIC Concentrator (FPC). The flaw triggers only when sFlow monitoring is enabled in a Virtual Chassis and multicast traffic ingresses on one VC member and egresses on another, causing a slow buffer leak that culminates in an FPC crash and restart. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability risk for affected deployments.

Juniper Denial Of Service Junos Os
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial-of-service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series devices allows an unauthenticated, network-based attacker to crash the flow processing daemon (flowd) by sending a malformed SIP INVITE packet when the SIP Application Layer Gateway (ALG) is enabled. The crash forces a flowd restart, producing a complete traffic-forwarding outage until the device auto-recovers, and can be repeated to sustain the outage. No public exploit identified at time of analysis; not listed in CISA KEV, and no EPSS score was provided.

Juniper Denial Of Service Junos Os
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Denial-of-service in Juniper Networks Junos OS and Junos OS Evolved on EX Series, QFX Series, and MX Series allows a local, low-privileged attacker to crash the l2ald (Layer 2 Address Learning Daemon) by issuing a specific 'show l2-learning' CLI command, disrupting all Layer 2 services until the process automatically restarts. The root cause is a Return of Pointer Value Outside of Expected Range flaw (CWE-466) in the fileio library. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA or the vendor.

Juniper Denial Of Service Junos Os +1
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Repeated IKE negotiation failures on Juniper Junos OS (MX with SPC3 and SRX Series) cause a peer index rollover that assigns duplicate index values to new peers, triggering continuous iked process crashes and a full VPN service outage requiring system reboot. Unauthenticated network-based attackers can deliberately flood the device with failing VPN negotiations to accelerate the rollover condition. No public exploit code or CISA KEV listing exists at time of analysis, but the network-reachable, zero-privilege attack vector makes this a meaningful risk for any organization relying on Juniper-based VPN infrastructure with iked enabled.

Juniper Denial Of Service Junos Os
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote denial of service in Juniper Networks Junos OS on MX Series (with SPC3) and SRX Series firewalls lets an unauthenticated network attacker crash the flow processing daemon (flowd) by sending a single TCP packet with a malformed TCP header when the TCP proxy is active. Because TCP proxy is engaged whenever ALGs, Advanced Anti-Malware, ICAP, or UTM services inspect a flow, exploitation forces a complete traffic-forwarding outage until the daemon auto-restarts. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and lack of authentication make it a credible availability threat to perimeter devices.

Juniper Denial Of Service Junos Os
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Junos OS on MX (with SPC3) and SRX-series firewalls lets an unauthenticated, network-based attacker crash and restart the PFE, dropping all traffic-forwarding services until automatic recovery. Exploitation is indirect: the attacker must lure or wait for the affected device to initiate an outbound TCP connection to an attacker-controlled system, which then replies with a crafted packet that trips an unhandled exceptional condition (CWE-754). Juniper-reported with CVSS 4.0 8.2; no public exploit identified at time of analysis and it is not in CISA KEV.

Juniper Denial Of Service Junos Os
NVD
EPSS 1% CVSS 6.6
MEDIUM PATCH This Month

Denial of service conditions in Palo Alto Networks PAN-OS allow unauthenticated network attackers to crash firewall dataplane processes by sending specially crafted traffic to or through a dataplane interface. Repeated exploitation escalates the impact: the firewall is forced into maintenance mode, effectively taking the security appliance offline and disrupting all traffic enforcement. No public exploit code has been identified at time of analysis, and Panorama management infrastructure is explicitly confirmed unaffected.

Denial Of Service Paloalto Cloud Ngfw +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the RTSP service by sending a crafted second SETUP request after a valid RTSP handshake, knocking the camera offline for every client on the network. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP second-stage URL routing parser; publicly available exploit code exists via a GitHub write-up, though no active exploitation is confirmed and the CVSS availability-only impact means it is a crash, not code execution, at time of analysis.

Buffer Overflow Tenda Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the RTSP service of Tenda CP3 V3.0 IP cameras (firmware V31.1.9.91) allows an unauthenticated remote attacker on the local network to crash the streaming service with a single crafted SETUP request. Because the second-stage URL routing parser does not validate the URL field length, a request whose URL is exactly four repetitions of a valid RTSP URL overflows a stack buffer and terminates the RTSP process, cutting off all clients. Publicly available exploit code exists (researcher write-up on GitHub); this is not listed in CISA KEV and no active exploitation is confirmed.

Buffer Overflow Tenda Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker exhaust TCP connection resources by sending RTSP requests (DESCRIBE, SETUP, PLAY) that advertise a Content-Length header but omit the message body, wedging the RTSP parser into a permanent body-awaiting state and leaking the connection. Repeated requests permanently disable the camera's streaming service. SSVC records a public proof-of-concept and rates the attack automatable; publicly available exploit code exists (POC), though it is not listed in CISA KEV, so there is no confirmation of active exploitation.

Tenda Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Denial of service in the RTSP service of MERCURY MIPC252W IP Camera firmware v1.0.5 Build 230306 Rel.79931n allows an unauthenticated, network-adjacent attacker to crash the streaming service by sending a crafted DESCRIBE request containing a malformed URL in the request line. The root cause is improper input validation (CWE-20) in the RTSP parser, resulting in complete loss of camera availability until the device is rebooted. Publicly available exploit code exists per SSVC classification, though no confirmed active exploitation (CISA KEV) has been recorded.

Denial Of Service
NVD GitHub
EPSS 1% CVSS 8.7
HIGH PATCH This Week

CPU-exhaustion denial of service in CPython's standard-library html.parser.HTMLParser lets remote attackers cause quadratic processing time by feeding a long, unterminated markup construct (comment, tag, PI, DOCTYPE, CDATA, or RAWTEXT element) incrementally in many small chunks. Any Python service that streams attacker-controlled HTML through HTMLParser.feed() is affected in all CPython versions before 3.16.0. There is no public exploit identified at time of analysis, but the fix, root cause (repeated buffer rescan and concatenation), and a triggering test case are publicly documented in the upstream pull request, making a working reproducer trivial to reconstruct.

Denial Of Service Python
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW Monitor

Use-after-free in Open5GS 2.7.7's AMF component allows a local low-privileged user to access freed memory within the `amf_context_final` function in `src/amf/context.c`, producing a low-severity confidentiality exposure. Exploitation is strictly local - no network vector exists - and a public proof-of-concept is confirmed by the CVSS 4.0 E:P supplemental modifier. This vulnerability is not listed in the CISA KEV catalog and carries a CVSS 4.0 base score of 1.9, reflecting its constrained real-world impact on what is a niche, telecom-research-oriented software stack.

Denial Of Service Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Regular expression denial of service in Open WebUI 0.9.2-0.9.x allows any authenticated user to block the Python asyncio event loop by sending a single malformed chat message. The SKILL_MENTION_RE and strip_re patterns in middleware.py use overlapping quantifiers when parsing skill-mention syntax, causing quadratic backtracking on input containing '<$' without a closing '>'. Because the event loop is synchronously blocked, the attack effectively takes the entire Open WebUI instance offline for all concurrent users. No public exploit code or active exploitation has been identified at time of analysis; the fix is confirmed in the v0.10.0 release.

Denial Of Service Open Webui
NVD GitHub
EPSS 1% CVSS 8.7
HIGH PATCH This Week

Denial of service in Zeek (formerly Bro) network security monitor before 8.0.9 lets remote unauthenticated attackers crash the sensor by sending a single crafted Kerberos KRB_ERROR packet. The flaw is a null pointer dereference (CWE-476) in the Kerberos analyzer's proc_padata() routine, reachable over UDP or TCP port 88 with no credentials. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the trivial single-packet trigger and passive-monitoring exposure make it operationally significant for security teams running Zeek inline or on tapped traffic.

Denial Of Service Null Pointer Dereference Zeek
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Zeek network security monitor (versions before 8.0.9) lets unauthenticated remote attackers crash the sensor by driving unbounded memory growth in the FTP protocol analyzer. By opening an FTP control session, negotiating AUTH GSSAPI, and sending an oversized ADAT control line, an attacker forces the NVT_Analyzer to repeatedly double its base64-decode buffer until the process is terminated. VulnCheck reported the issue; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-facing, unauthenticated, low-complexity nature makes it a high-availability risk for exposed monitoring infrastructure.

Denial Of Service Zeek
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Denial of service in Siemens CPCI85 Central Processing/Communication firmware and SICORE Base System (all versions before V26.20 / V26.20.0) allows an authenticated attacker to crash the device's web process via a leftover debugging interface exposed on HTTP endpoints. The flaw stems from active debug code shipped in production firmware and affects only availability, not data confidentiality or integrity. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Denial Of Service Cpci85 Central Processing Communication Sicore Base System
NVD VulDB
HIGH POC PATCH This Week

Server-side request forgery (and cross-scheme local file disclosure) in the Ruby css_parser gem (all versions prior to 3.0.0) lets an attacker who can land a single @import url(...) rule in parsed CSS force the server to issue arbitrary HTTP/HTTPS GETs to any internal host, port or IP, and — via an attacker-controlled 302 redirect to a file:// URI — read local files. Premailer-style consumers that re-emit the parsed CSS into rendered HTML/email leak any CSS-shaped response bytes back to the attacker, turning this into a data-exfiltration channel rather than a blind SSRF. No public CVSS is published and it is not in CISA KEV, but a complete working proof-of-concept (poc.rb) is included in the advisory, so publicly available exploit code exists.

Kubernetes Hashicorp SSRF +7
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

Denial-of-service in the HL7 FHIR Core library (ca.uhn.hapi.fhir:org.hl7.fhir.core, all FHIRPathEngine implementations) lets a remote unauthenticated attacker exhaust a CPU core by submitting a FHIR resource whose matches(), matchesFull(), or replaceMatches() FHIRPath function carries a malicious regular expression that triggers catastrophic backtracking. The timeout utility meant to bound regex evaluation cancelled its executor thread but could not actually interrupt the running Pattern/String operation, and three modules invoked evaluation entirely outside that guard. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the ReDoS technique is well understood and trivial to reproduce.

Denial Of Service
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4, lets remote attackers hang a worker thread by submitting a ~300-byte attribute selector with an unterminated quoted value (e.g. '[a="xxxx...'), triggering catastrophic regular-expression backtracking in the VALUE pattern of css_parser.py. Any Python service that passes untrusted selector strings to soupsieve.compile() or Beautiful Soup's .select()/.select_one() is affected, and each added byte roughly doubles CPU time, so a handful of concurrent requests can exhaust all workers. Publicly available exploit code exists (a working PoC is embedded in the advisory), but no exploit is identified as being used in active attacks and it is not listed in CISA KEV.

Python Denial Of Service
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Memory-exhaustion denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4 (beautifulsoup4), lets remote unauthenticated attackers crash Python services by submitting a large comma-separated CSS selector to soupsieve.compile() or Beautiful Soup's .select()/.select_one(). Each comma-delimited item is parsed into a ~976-byte object graph with no cap on list length, so a ~500 KB selector string of 'a,a,a,...' expands to roughly 244 MB of heap (a ~488x amplification), triggering OOM kills or MemoryError. A working proof-of-concept is published in the advisory; no CISA KEV listing or in-the-wild exploitation is reported.

Kubernetes Python Denial Of Service +1
NVD GitHub
CVSS 6.5
MEDIUM POC This Month

Memory exhaustion in pyload's EventManager module allows authenticated remote attackers to cause a denial of service by sending large volumes of requests to the getEvents API endpoint with unique UUIDs. Each unique UUID causes a new Client instance to be appended to the internal clients list, but the existing clean() method that would purge inactive clients is never invoked anywhere in the codebase, resulting in unbounded memory growth. No public exploit is independently catalogued, but a functional proof-of-concept script was included in the disclosure, demonstrating that the attack can be executed with a valid API key and approximately 100,000 HTTP GET requests.

Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Null pointer dereference in GNU LibreDWG up to 0.13.4 allows a local low-privileged attacker to crash any application that processes a maliciously crafted DWG file via the `dwg_next_entity` function in `src/dwg.c`, resulting in denial of service. A proof-of-concept exploit file is publicly available (CVSS 4.0 E:P), though no active exploitation is confirmed in CISA KEV. The issue is fully resolved by upgrading to version 0.14, which includes a committed upstream patch.

Denial Of Service Null Pointer Dereference Libredwg
NVD VulDB GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Denial of service in body-parser npm middleware allows unauthenticated remote attackers to submit arbitrarily large HTTP request bodies when the package is misconfigured with an invalid `limit` option value. Affected versions span both the 1.x line (prior to 1.20.6) and 2.x line (prior to 2.3.0). The silent misconfiguration failure bypasses all payload size enforcement, enabling an attacker to exhaust server memory and CPU through oversized request flooding - though exploitation requires the specific precondition of an invalid limit setting, reflected accurately in the low CVSS score of 3.7. No public exploit or CISA KEV listing exists at time of analysis.

Denial Of Service Body Parser
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in GStreamer's DTLS plugin allows a remote unauthenticated attacker to crash any application that performs a DTLS handshake (notably WebRTC/webrtcbin pipelines) by presenting a TLS certificate with an oversized Subject Distinguished Name. The Subject DN is written into a fixed 2048-byte stack buffer with no bounds checking (CWE-121), and overflowing it corrupts the stack and terminates the process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; impact is limited to availability (process crash), with no code execution or data exposure claimed.

Buffer Overflow Denial Of Service Stack Overflow +5
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Heap buffer overflow in GStreamer's rfbsrc (RFB/VNC source) plugin lets a malicious VNC server crash or corrupt the memory of any client that connects to it. When the server advertises a 16bpp framebuffer and sends Hextile-encoded updates, the background-fill path writes 32-bit pixels into a 16-bit buffer, producing an out-of-bounds heap write. No public exploit identified at time of analysis; the primary confirmed impact is denial of service, with potential for further memory corruption. This is a client-side flaw requiring the victim to connect to attacker-controlled infrastructure.

Memory Corruption Denial Of Service Buffer Overflow +5
NVD
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

GNU patch enters an infinite CPU-consuming loop when processing a specially crafted unified-diff file containing an excessively large hunk line offset, resulting in a denial of service. The utility becomes unresponsive and must be manually terminated, impacting any pipeline, CI/CD system, or developer workflow that applies untrusted patch files. No public exploit has been identified at time of analysis, and an upstream fix commit has been published by the maintainers on Savannah; a formally tagged release is not yet independently confirmed.

Denial Of Service Patch
NVD VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

GNU patch crashes with a NULL pointer dereference when a user applies a specially crafted unified-diff file, resulting in denial of service. Improper handling of consecutive end-of-file newline markers corrupts internal hunk data structures, causing a NULL pointer to be passed to fwrite() during processing. No public exploit has been identified at time of analysis and no CISA KEV listing exists; real-world impact is constrained by the requirement for user interaction with a malicious file.

Denial Of Service Null Pointer Dereference Patch
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Disk-exhaustion denial of service in Nozomi Networks Guardian and Central Management Console (CMC) lets a remote, unauthenticated attacker fill available storage by sending requests with oversized input that the audit-logging subsystem records without any size limit. Because the affected devices are OT/ICS network-monitoring appliances, exhausting disk can render the sensor or its management console inoperable and blind defenders. No public exploit is identified at time of analysis; EPSS and KEV data were not provided, but the network/unauthenticated CVSS 4.0 profile (VA:H) makes this a low-effort attack.

Denial Of Service Guardian Cmc
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Remote denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.991) allows an unauthenticated attacker on the network to crash the device by sending a specially crafted RTSP TEARDOWN request that overflows a stack buffer. Publicly available exploit code exists via a third-party GitHub write-up, though the flaw affects only availability (no data disclosure or code execution is claimed). No active exploitation has been reported in CISA KEV, and EPSS data was not provided.

Buffer Overflow Tenda Denial Of Service +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) allows an unauthenticated remote attacker to crash the RTSP service by sending a crafted PLAY request that overflows a fixed-size stack buffer. The flaw is remotely reachable with no authentication or user interaction, but per the description and CVSS the impact is limited to availability loss (device crash/reboot), with no confirmed code execution. A public technical report with reproduction details exists on GitHub; the issue is not listed in CISA KEV and no EPSS score was provided.

Buffer Overflow Tenda Denial Of Service +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome desktop before 150.0.7871.115 stems from a use-after-free in the InterestGroups component (the Protected Audience / FLEDGE ad-auction API of Privacy Sandbox), letting a remote attacker run arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. Google rates the Chromium severity High, and the CVSS 8.8 reflects network-reachable, low-complexity, unauthenticated exploitation gated only by user interaction (visiting a page). There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, though EPSS-style risk for Chrome memory-corruption bugs is typically elevated once details circulate.

Memory Corruption Google Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome's Views UI framework (versions prior to 150.0.7871.115) lets a remote attacker exploit a use-after-free by luring a victim to a crafted HTML page. The flaw, rated Critical by Chromium and CVSS 8.8, requires user interaction (visiting a malicious page) but no authentication; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Google has shipped a stable-channel fix.

Memory Corruption Denial Of Service Use After Free +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandboxed remote code execution in Google Chrome versions prior to 150.0.7871.115 stems from a use-after-free in the Forms component, allowing a remote attacker to run arbitrary code within the renderer sandbox when a victim opens a crafted HTML page. The flaw carries a High Chromium severity rating and CVSS 8.8; Google has shipped a stable-channel fix, but no public exploit has been identified at time of analysis. Because code execution is confined to the sandbox, a separate sandbox-escape bug would be required for full host compromise.

Memory Corruption Google Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in WebRTC in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Google Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's Core component on Windows (versions prior to 150.0.7871.115) lets an attacker who has already compromised the renderer process break out of the sandbox and reach the higher-privileged browser process via a crafted HTML page. The flaw is a CWE-416 use-after-free rated High by Chromium and CVSS 8.3, with a scope change reflecting the renderer-to-browser boundary crossing. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but as the second stage of a browser exploit chain it is a meaningful patch priority.

Memory Corruption Google Microsoft +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome desktop before 150.0.7871.115 stems from a use-after-free in the browser's Input component, letting a remote attacker who lures a victim to a crafted HTML page run arbitrary code inside the renderer sandbox. Google rates the Chromium severity High and CVSS is 8.8, requiring user interaction (visiting a malicious page) but no authentication. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the memory-corruption class and network attack vector make it a standard high-priority browser patch.

Memory Corruption Google Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Heap corruption in Google Chrome's Payments component (versions prior to 150.0.7871.115) lets a remote attacker who lures a user into performing specific UI gestures potentially achieve code execution via a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium and CVSS 7.5, with a vendor patch already shipped in the July 2026 Stable channel update; no public exploit has been identified at time of analysis. Exploitation is gated by high attack complexity and required user interaction, making it credible but not trivially weaponizable.

Memory Corruption Denial Of Service Use After Free +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome desktop before 150.0.7871.115 lets a remote attacker run arbitrary code (constrained to the renderer sandbox) by luring a victim to a crafted HTML page that triggers a use-after-free in the Actor component. The flaw is network-reachable and requires only that the user visit a malicious page, but Chromium rates the severity High rather than Critical because code execution stays inside the renderer sandbox. No public exploit identified at time of analysis; no EPSS or KEV signal was supplied in the input.

Memory Corruption Google Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for Android before 150.0.7871.115 stems from a use-after-free in the Autofill component, letting a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Rated High by Chromium and carrying a CVSS 9.6 due to the scope-changing impact, it currently has no public exploit identified at time of analysis and is not listed in CISA KEV. A vendor patch shipped via the Chrome Stable channel update.

Memory Corruption Denial Of Service Use After Free +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote heap corruption in Google Chrome desktop before 150.0.7871.115 stems from a use-after-free (CWE-416) in Ozone, the platform abstraction layer that mediates windowing, graphics, and input. A remote attacker who lures a victim into loading a crafted HTML page can trigger the freed-memory reuse and potentially achieve renderer-level code execution; Chromium rates the underlying flaw Critical. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privilege, low-complexity CVSS 8.8 profile makes it a high-priority browser patch.

Memory Corruption Denial Of Service Use After Free +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Heap corruption in Google Chrome's Views UI framework (versions prior to 150.0.7871.115) lets a remote attacker who lures a user into performing specific UI gestures on a crafted HTML page potentially execute code or crash the browser via a use-after-free. Google rates the Chromium severity High; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though Chrome UAF bugs are historically attractive exploitation targets.

Memory Corruption Denial Of Service Use After Free +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Use after free in Extensions in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)

Memory Corruption Denial Of Service Use After Free +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Renderer-process code execution in Google Chrome desktop before 150.0.7871.115 arises from a use-after-free in the IndexedDB implementation, letting a remote attacker run arbitrary code within the Chromium sandbox when a victim opens a crafted HTML page. Chromium rated the flaw Medium severity even though the CVSS base score is 8.8, reflecting that execution is confined to the sandboxed renderer rather than the host. A vendor patch is available and no public exploit has been identified at time of analysis.

Memory Corruption Google Denial Of Service +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Remote denial of service in OpENer 2.3.0 (commit 76b95cf), an open-source EtherNet/IP (CIP) communication stack, lets unauthenticated network attackers exhaust device resources through the network processing loop, rendering the affected industrial device unavailable. The flaw carries CVSS 7.5 (availability-only impact) and publicly available exploit code exists (referenced GitHub gist and issue #562), though it is not listed in CISA KEV and EPSS is low at 0.20% (10th percentile), indicating no observed widespread exploitation. Because OpENer typically runs on embedded ICS/IIoT endpoints, loss of availability can translate directly to loss of process visibility or control.

Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Remote denial of service in the JavaScript @libp2p/gossipsub module (all versions prior to 16.0.0) lets any connected peer stall a victim node by sending oversized IHAVE/IWANT control messages. Because defaultDecodeRpcLimits left maxIhaveMessageIDs and maxIwantMessageIDs set to Infinity, a single 4 MB RPC frame forces roughly 180,000 message IDs to be iterated synchronously, blocking the Node.js event loop and freezing the process. No public exploit identified at time of analysis; the flaw is remotely reachable without authentication against affected default configurations.

Node.js Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Wireshark 4.6.0-4.6.6 and 4.4.0-4.4.16 is caused by a heap-based buffer overflow in the Catapult DCT2000 protocol dissector, crashing the application when a crafted capture file is opened. The CVSS local attack vector (AV:L) and required user interaction (UI:R) constrain exploitation to scenarios where an analyst is socially engineered into opening a malicious capture file - no remote or unauthenticated network exploitation path exists. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; vendor-released fixes are available in 4.6.7 and 4.4.17.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The pcapng file parser in Wireshark 4.6.0 through 4.6.6 contains a heap-based buffer overflow (CWE-122) that crashes the application, resulting in denial of service. An attacker must convince a user to open a specially crafted pcapng capture file, making this a social-engineering-dependent attack with no network-facing exploitation path. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a vendor patch is available in Wireshark 4.6.7.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The FMP/NOTIFY protocol dissector in Wireshark 4.6.0-4.6.6 and 4.4.0-4.4.16 crashes when processing malformed packet data, resulting in a denial of service against the application. Exploitation requires a victim to open a crafted packet capture file or analyze injected traffic, making this a social-engineering-dependent vector rather than a remotely triggerable flaw. A vendor-released patch is available in versions 4.6.7 and 4.4.17; no public exploit or CISA KEV listing has been identified at time of analysis.

Denial Of Service Wireshark
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Wireshark's SSH protocol dissector crashes via a null pointer dereference (CWE-476) in versions 4.4.0-4.4.16 and 4.6.0-4.6.6, enabling denial of service against any analyst or engineer running an affected build. The flaw is triggered locally when Wireshark processes malformed SSH protocol data, whether from a live capture or a crafted packet capture file, causing the application to crash and disrupting network analysis workflows. No active exploitation has been confirmed in CISA KEV, and no public exploit code is known at time of analysis.

Denial Of Service Null Pointer Dereference Wireshark
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Heap-based buffer overflow in Wireshark's Z39.50 protocol dissector crashes the application when processing malformed Z39.50 PDUs, resulting in denial of service. Affected versions span the 4.4.x branch (4.4.0-4.4.16) and 4.6.x branch (4.6.0-4.6.6). An attacker can trigger the crash by persuading an analyst to open a crafted packet capture file or by injecting malicious Z39.50 traffic onto a monitored network segment; no active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Wireshark's UMTS FP protocol dissector affects the 4.6.0-4.6.6 and 4.4.0-4.4.16 release branches, where a malformed UMTS Frame Protocol packet triggers a heap-based buffer overflow (CWE-122) that crashes the application. A remote attacker who can get the crafted frame parsed - via live capture on a monitored segment or a shared capture file - can reliably terminate the analyzer, with no confidentiality or integrity impact. Publicly available exploit code exists (SSVC=poc) but it is not on CISA KEV, and EPSS is low at 0.14% (4th percentile), indicating minimal observed exploitation pressure.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Wireshark's DBS Etherwatch dissector affects release branches 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16, where a malformed capture file or crafted packet can crash the application. The flaw is a stack-based buffer overflow (CWE-121) that manifests only as an availability impact - no confidentiality or integrity loss and no confirmed code execution - carrying a 7.5 (High) CVSS. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Buffer Overflow Denial Of Service Stack Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack-based buffer overflow in Wireshark's IEEE 802.11 (Wi-Fi) protocol dissector crashes the application, resulting in denial of service across versions 4.6.0-4.6.6 and 4.4.0-4.4.16. An attacker with the ability to deliver a malicious packet capture file, or inject crafted 802.11 frames into a live capture session, can crash the Wireshark process on a victim analyst's machine. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; vendor-released patches (4.6.7 and 4.4.17) are available.

Buffer Overflow Denial Of Service Stack Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Wireshark 4.6.0 through 4.6.6 lets a remote attacker crash the application by feeding it a malformed TLS packet using the Encrypted Client Hello (ECH) extension, triggering a heap buffer overflow in the ECH decryptor. No authentication or user interaction beyond processing the traffic is required, though impact is limited to availability (analyzer crash) with no code execution or data disclosure claimed. Publicly available exploit code exists per SSVC (POC), EPSS is low at 0.14% (4th percentile), and it is not listed in CISA KEV.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Wireshark's ciscodump remote capture utility (extcap) affects versions 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16, where a heap-based buffer overflow (CWE-122) can crash the capture tool. An attacker able to feed crafted data to a running ciscodump session can terminate the process, disrupting live packet capture. A POC is referenced by CISA's SSVC assessment (no public exploit code independently identified), it is not in CISA KEV, and EPSS is very low at 0.10% (1st percentile), indicating minimal likelihood of widespread exploitation.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Wireshark 4.6.0-4.6.6 and 4.4.0-4.4.16 lets a remote attacker crash or hang the application by feeding it crafted packets that trigger infinite loops in multiple protocol dissectors. No public exploit is identified at time of analysis, and the flaw is limited to availability - no code execution or data exposure. Real-world urgency is modest: EPSS sits at 0.12% and CISA SSVC rates exploitation as 'none' with only partial technical impact.

Denial Of Service Wireshark
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Memory corruption in the User-ID Terminal Server Agent (TSA) of Palo Alto Networks PAN-OS lets an unauthenticated network attacker crash the service (DoS) or potentially execute arbitrary code by sending crafted traffic to the TSA listener. Multiple out-of-bounds write bugs are involved; the vendor's CVSS 4.0 vector flags the exploit as unproven (E:U), and no public exploit has been identified at time of analysis. Panorama is explicitly not affected, and exposure hinges on whether the optional TSA component is deployed and reachable.

Memory Corruption Paloalto Buffer Overflow +3
NVD VulDB
CVSS 5.5
MEDIUM PATCH This Month

Path traversal in DSpace's Curation Task reporter parameter exposes authenticated Collection, Community, and Site Administrators to file write operations at arbitrary server-side paths writable by the DSpace/Tomcat OS user. Affected are DSpace versions through 7.6.6, 8.0-8.3, and 9.0-9.2, where the attack surface widened when web UI access was granted to admin roles beyond CLI-only system administrators. No public exploit or CISA KEV listing exists; the vendor-assigned CVSS 3.1 score of 5.5 (PR:H, A:H) correctly reflects that high-privilege credentials are required but the availability impact from overwriting configuration or binary files can be severe.

Java Path Traversal Denial Of Service +1
NVD GitHub
CVSS 8.7
HIGH POC PATCH This Week

Authorization bypass in Zalando Skipper (<= v0.26.8) lets remote unauthenticated attackers defeat the opaAuthorizeRequestWithBody OPA filter by sending the request body with HTTP/1.1 Transfer-Encoding: chunked or HTTP/2 framing that omits content-length. Because net/http sets ContentLength = -1 for such requests, Skipper's body extractor buffers an empty body, so Rego policies that gate on input.parsed_body evaluate against an empty document, fail open, and forward the forbidden payload upstream. Publicly available exploit code exists (a full E2E Go PoC is embedded in the GHSA advisory); the flaw is not in CISA KEV and no EPSS score was provided.

Request Smuggling Denial Of Service
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

ReDoS vulnerability in the guardrails-detectors component of Red Hat OpenShift AI enables adjacent-network attackers to submit specially crafted regular expressions to the public detection API, triggering catastrophic backtracking that pins a worker process at 100% CPU indefinitely. The availability impact extends beyond the component itself - the entire guardrails-mediated LLM pipeline is rendered non-functional. No public exploit identified at time of analysis, but exploitation requires no authentication and trivial effort from an adjacent network position.

Red Hat Denial Of Service Openshift Ai
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in the pypdf Python PDF library (all versions prior to 6.14.1) allows a remote attacker to hang a consuming application by supplying a malicious PDF. A page content stream containing an unterminated inline image drives the inline-image end-marker detection logic into an infinite loop, most notably triggered during page text extraction. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects an unauthenticated, low-complexity availability attack, and a fixed release (6.14.1) is available.

Python Denial Of Service Pypdf
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in pypdf before 6.14.2 lets a remote attacker hang any application that parses an attacker-supplied PDF: a page content stream carrying an unterminated inline image with an ASCII85 or ASCIIHex filter drives the parser into an infinite loop (CWE-835), most notably during page text extraction. The pure-Python library is very widely used in document-processing and data-ingestion pipelines, so a single malicious file can pin a CPU core and stall the worker. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the root cause is well-described and trivially reproducible.

Python Denial Of Service Pypdf
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

{{ huge_array | pop }}` trigger an O(N) full clone of an attacker-influenced array that bypasses the engine's configured memoryLimit budget, enabling denial of service through memory exhaustion. The `pop` array filter in src/filters/array.ts clones its input via `[...toArray(v)]` without routing the allocation through `this.context.memoryLimit.use(...)`, so the safety guard applications rely on is silently defeated. There is no public exploit identified at time of analysis, EPSS/KEV data was not supplied, and the impact is limited to availability (no confidentiality or integrity loss).

Denial Of Service Liquidjs
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Uncontrolled resource consumption in pypdf prior to 6.14.0 allows unauthenticated remote attackers to cause denial of service by submitting a crafted PDF containing repeated malformed cross-reference streams. The library's XRef table recovery routine performs unbounded work on such inputs, leading to excessive CPU time consumption and effectively hanging or severely degrading any application that processes attacker-supplied PDFs. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Python Denial Of Service Pypdf
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Memory exhaustion in HashiCorp memberlist before 0.6.0 allows network-accessible attackers to crash individual cluster nodes by sending crafted push/pull state synchronization messages to the gossip port, triggering unbounded memory allocation until the process terminates. The vulnerability is rooted in missing resource limits on incoming gossip state payloads (CWE-770). No public exploit code exists and CISA KEV listing is not confirmed; however, because memberlist underpins HashiCorp Consul, Nomad, and Vault cluster communication, a single exploitable node crash can disrupt distributed coordination in dependent systems.

Hashicorp Denial Of Service Shared Library
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unbounded recursion in Mistune's Include directive (all versions prior to 3.3.0) can be triggered by a pair of mutually-referencing markdown files, bypassing the cycle detector that only checks for direct self-inclusion. An attacker who can supply markdown content processed by an application using the Include directive may crash the rendering request with a Python RecursionError, resulting in a denial of service. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a confirmed fix is available in version 3.3.0.

Python Denial Of Service Mistune
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Mistune (the lepture Python Markdown parser) before 3.3.0 lets remote unauthenticated attackers exhaust CPU by submitting a Markdown document packed with many repeated or distinct reference-link definitions, which triggers quadratic-time processing in the block parser and its ref_links dictionary handling. Any service that renders attacker-supplied Markdown through Mistune (wikis, comment systems, docs pipelines, notebook converters) can be stalled with a single crafted input. No public exploit is identified at time of analysis and it is not in CISA KEV, but the low-complexity, no-auth vector makes weaponization trivial.

Python Denial Of Service Mistune
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Mistune, a widely used pure-Python Markdown parser, affects all versions prior to 3.3.0 where the default inline parser exhibits quadratic (O(n²)) behavior on long runs of well-formed double- or triple-asterisk emphasis pairs. Because the parser rescans forward for matching close markers from every candidate opening run, a small crafted Markdown payload forces disproportionate CPU consumption, exhausting resources on any service that renders untrusted Markdown. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and unauthenticated network vector make availability impact realistic against default configurations.

Python Denial Of Service Mistune
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Mistune, a Python Markdown parser, affects all versions prior to 3.3.0 when the strikethrough, mark, or insert plugins are enabled. Remote attackers can submit crafted Markdown containing runs of closed tilde (~), equals (=), or caret (^) marker pairs that trigger quadratic-time scanning in the formatting plugin, exhausting CPU and rendering the parsing service unresponsive. No public exploit identified at time of analysis, and the flaw is not in CISA KEV; impact is limited to availability with no data exposure.

Python Denial Of Service Mistune
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in the Immutable.js JavaScript library (versions before 4.3.9 and 5.1.8) allows attackers who can influence an index or size value to crash or hang a Node.js/browser process. Passing a value between 2^30 and 2^31 to List#set, setSize, setIn, updateIn (or the functional equivalents) drives setListBounds into an uncatchable infinite loop on empty Lists, unbounded memory allocation until process abort on populated Lists, or a silent integer wrap on setSize. No public exploit code has been identified at time of analysis, and the flaw is not on the CISA KEV list; impact is availability-only.

Integer Overflow Denial Of Service Immutable Js
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Engine.IO 6.5.0 through 6.6.6 (the transport layer beneath Socket.IO) lets remote unauthenticated attackers crash the server by supplying a crafted session ID like '__proto__' during a WebTransport upgrade. Because the session ID is looked up against the internal clients object without guarding inherited properties, the resolved value is a prototype function rather than a client, triggering a TypeError that terminates request handling. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trigger is trivial to reproduce on any server that has WebTransport enabled.

Denial Of Service Socket Io
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service via infinite loop in protobuf.js (the pure-JavaScript Protocol Buffers implementation for Node.js/browsers) affects versions 8.0.0 through <8.6.6 and 7.5.0 through <7.6.5. When the parser reads an option declaration in a .proto schema it advances through tokens looking for '=' without checking for end-of-input, so a truncated schema (e.g. 'option foo') hangs parse(), Root.load, or Root.loadSync forever, pinning a CPU core and stalling the event loop. No public exploit is identified at time of analysis and it is not in CISA KEV; EPSS is low (0.33%, 25th percentile), matching the SSVC rating of exploitation 'none' but automatable.

Denial Of Service Protobuf Js
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in node-tar prior to 7.5.18 allows remote attackers to hang a Node.js application by feeding it a crafted tar archive: a checksum-valid header carrying a negative base-256 encoded entry size makes the tar.replace scanner advance zero bytes and re-parse the same header forever. No public exploit or active exploitation is identified at time of analysis, but the CVSS 4.0 base score of 8.7 reflects the high, easily-reachable availability impact. Only applications that call tar.replace on untrusted archive input are affected.

Node.js Denial Of Service Node Tar
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Uncontrolled resource consumption in node-tar before 7.5.19 lets a small crafted gzip bomb exhaust disk space and CPU on any Node.js application that extracts or parses attacker-supplied tar archives. Because node-tar imposes no upper bound on total decompressed size, entry count, or compression ratio in its extract and parse paths, a tiny malicious file can inflate to consume all available storage and processing, causing denial of service. No public exploit has been identified, but the fix is a straightforward, well-documented behavior change published in the vendor advisory GHSA-23hp-3jrh-7fpw.

Node.js Denial Of Service Node Tar
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Wazuh wazuh-modulesd (all releases before 5.0.0-beta3) lets an enrolled agent crash the manager's inventory synchronization module by sending a verifier-valid FlatBuffer DataValue message that omits the optional id field, triggering a null pointer dereference (CWE-476). Exploitation requires only a valid enrolled agent (PR:L) over the network with no user interaction; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Impact is availability-only - no data confidentiality or integrity loss - but it can repeatedly take down central inventory sync, blinding a security monitoring deployment.

Wazuh Denial Of Service Null Pointer Dereference
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Heap buffer overflow in ImageMagick's FTXT encoder exposes systems to denial of service and potential information disclosure when processing attacker-crafted image files. All ImageMagick versions before 7.1.2-19 are affected due to missing boundary checks when parsing the ftxt:format parameter, allowing an out-of-bounds read (CWE-125) in the FTXT encoder component. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though a vendor patch is available at 7.1.2-19.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Remote code execution and denial of service in FreeRDP before 3.22.0 stem from a use-after-free in the dynamic virtual channel manager (drdynvc), where `dvcman_channel_close` and `dvcman_call_on_receive` access `channel_callback` without proper synchronization (CWE-362). A malicious or compromised RDP server can race DYNVC_DATA and DYNVC_CLOSE messages to free a channel callback while another thread still uses it, corrupting the client heap. This is a client-side flaw affecting anyone connecting to an attacker-controlled server; no public exploit identified at time of analysis, and it is not listed in CISA KEV. FreeRDP is a widely used open-source implementation of the Microsoft Remote Desktop Protocol, embedded in clients such as Remmina, GNOME Connections, Weston, and numerous commercial and VDI products. The bug lives in the drdynvc (Dynamic Virtual Channel) subsystem, which multiplexes optional channels (clipboard, audio, device redirection, etc.) over the RDP connection and processes them on a dedicated client thread. Per CWE-362 (concurrent execution using shared resource with improper synchronization / race condition), `dvcman_channel_close` (handling DYNVC_CLOSE) can free the `channel_callback` structure while `dvcman_call_on_receive` (handling DYNVC_DATA) is concurrently dereferencing it, producing a heap use-after-free. Because the RDP server dictates the timing and ordering of DYNVC_DATA and DYNVC_CLOSE PDUs, a hostile server controls the race window. The published CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H) yields 8.3 (High), driven mainly by high availability impact with lower confidentiality/integrity impact — consistent with a heap corruption that reliably crashes the client (DoS) but only potentially yields RCE. AC:H correctly reflects that success depends on winning a non-deterministic thread race, which is unreliable and may require many attempts. There is no EPSS score, no KEV listing, and no confirmed public POC in the provided data, so exploitation pressure is currently low-to-unknown; the RCE and Denial Of Service tags reflect potential impact, not observed attacks. One nuance to verify: the vector uses UI:N/PR:N, but this is a client-side vulnerability requiring the victim to connect to a malicious server — a real-world limiting factor that raw CVSS understates. Net: a legitimate patch priority for fleets whose users connect to untrusted or reachable RDP endpoints, but not an emergency mass-exploitation scenario given AC:H and no evidence of exploitation. FreeRDP (the open-source RDP client/library and its FreeRDP-based clients) at all versions prior to 3.22.0 are affected; the flaw is fixed in FreeRDP 3.22.0. No CPE strings were provided in the input, so exact downstream package ranges (e.g., distribution builds of Remmina or the freerdp2/freerdp3 packages) should be confirmed against vendor trackers. Authoritative details are in the FreeRDP GitHub Security Advisory GHSA-3mv2-5q57-2v8h (https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3mv2-5q57-2v8h) and the VulnCheck advisory (https://www.vulncheck.com/advisories/freerdp-use-after-free-via-race-condition-in-drdynvc-channel-callback). Vendor-released patch: FreeRDP 3.22.0 — upgrade all FreeRDP libraries and any FreeRDP-based clients (Remmina, GNOME Connections, xrdp clients, etc.) to 3.22.0 or later, rebuilding or updating downstream distribution packages that bundle the library. Until patched, reduce exposure by only connecting to trusted, known-good RDP servers and avoiding connections to untrusted or attacker-influenced hosts, since the malicious behavior originates server-side; where feasible, restrict outbound RDP (TCP 3389) from client machines to an allowlist of approved servers via egress firewall rules (trade-off: breaks ad-hoc connections to new servers). If specific dynamic virtual channels are not required, disabling optional channel redirections (clipboard, drive, audio) narrows the attack surface of drdynvc but does not fully eliminate the race and reduces functionality. Follow guidance in GHSA-3mv2-5q57-2v8h (https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3mv2-5q57-2v8h) and the VulnCheck advisory (https://www.vulncheck.com/advisories/freerdp-use-after-free-via-race-condition-in-drdynvc-channel-callback). An attacker stands up or compromises an RDP server and lures a victim into connecting with a vulnerable FreeRDP client (e.g., via a malicious .rdp file, phishing link, or a man-in-the-middle position). Once connected, the server rapidly interleaves DYNVC_DATA and DYNVC_CLOSE messages on a dynamic virtual channel to win the race and trigger the heap use-after-free in the client's drdynvc thread, crashing the client or, with careful heap grooming, potentially executing code in the client process. No public POC is identified at this time, and the AC:H race condition makes reliable code execution difficult. Exploitation requires the victim to establish an RDP session to an attacker-controlled or compromised server running against a FreeRDP client before 3.22.0, and the connection must use the drdynvc dynamic virtual channel path. The attacker must then concurrently send DYNVC_DATA and DYNVC_CLOSE messages on a dynamic virtual channel to win a timing race in `channel_callback` access. Limiting factors: the attacker must control the RDP server side (this is a client-side vulnerability, so it cannot be triggered against an unwilling client that never connects), the exploit depends on winning a non-deterministic thread race (CVSS AC:H) so it is unreliable and may require repeated attempts, and reliable code execution beyond a crash requires heap-layout control. No authentication to the malicious server is needed, but the user must initiate the outbound connection. Lure victim to malicious RDP server → Client opens dynamic virtual channel (drdynvc) → Server races DYNVC_DATA and DYNVC_CLOSE → Trigger heap use-after-free on channel_callback → Crash client or execute code in client process Affected/fixed version (before 3.22.0; fixed in 3.22.0), root cause, and functions are confirmed by the FreeRDP GitHub Security Advisory GHSA-3mv2-5q57-2v8h and the VulnCheck advisory. CVSS 4.0 vector, 8.3 score, and CWE-362 are provided in the input; RCE is described as potential, not demonstrated. Not listed in CISA KEV and no EPSS score or public POC was provided, so real-world exploitation status is unknown; downstream package version ranges are not confirmed due to absent CPE data. high core open-source RDP library embedded in many Linux remote-desktop clients CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H Client-side flaw needing the victim to connect to a malicious server (UI:R) and to win a thread race (AC:H); heap corruption gives high availability impact with limited C/I. CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Denial Of Service Race Condition RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Cross-tenant bundle deletion in Capgo (Capacitor live/OTA update platform) before 12.128.2 lets holders of an upload-scoped API key rewrite the mutable app_versions.r2_path column through the PostgREST data API, retargeting it at another tenant's Cloudflare R2 objects. By pointing a soft-deleted attacker version at a victim bundle and firing the on_version_update cleanup trigger, an attacker deletes the victim's R2 object, breaking that app's over-the-air update delivery. No public exploit is identified at time of analysis, but the mechanism is fully described and CVSS 4.0 rates availability impact as High (8.7).

Authentication Bypass Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Dell PowerProtect Data Domain (DDOS versions 7.7.1.0 through 8.7, plus LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, and LTS2024 7.13.1.0-7.13.1.70) allows a remote, unauthenticated attacker to crash or hang the appliance by triggering an integer overflow (CWE-190). Per the CVSS vector (PR:N/UI:N), no authentication or user interaction is required, and the impact is confined to availability (C:N/I:N/A:H) - no data disclosure or code execution. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; EPSS was not provided.

Integer Overflow Dell Denial Of Service +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Tanium Server allows remote unauthenticated attackers to exhaust availability of the platform, per vendor advisory TAN-2026-016. The flaw is network-reachable with low complexity and no privileges or user interaction (CVSS 7.5, availability-only impact), and the CWE-789 classification indicates an uncontrolled/excessive memory allocation can be triggered remotely. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Server
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1/14.0.4 and earlier) allows a crafted PDF containing embedded JavaScript to free page objects and trigger a dangling write to pop-up annotation objects. An attacker who convinces a user to open a malicious document can crash the application and potentially achieve arbitrary code execution in the user's context. No public exploit identified at time of analysis; the flaw was reported privately by Foxit.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Denial-of-service (and potential memory-corruption) in Foxit PDF Editor (≤14.0.4 / ≤13.2.4 / ≤2026.1.1) and Foxit PDF Reader (≤2026.1.1) arises when a crafted PDF's embedded JavaScript rewrites the document to alter the page structure, freeing the underlying page objects while the thumbnail renderer continues to reference them - a classic use-after-free (CWE-416). A victim who merely opens the file triggers the dangling reference, causing an application crash and, given the CVSS confidentiality/integrity impact, a plausible path to code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Denial-of-service in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1 and earlier) occurs when a victim opens a crafted PDF whose embedded JavaScript deletes the current page, after which subsequent scripts dereference now-freed document-view properties and crash the application. This is a CWE-416 use-after-free reported by Foxit; no public exploit identified at time of analysis, and it is not listed in CISA KEV. The documented impact is an application crash, though the underlying memory-corruption class warrants caution about potential escalation.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor lets a crafted PDF containing JavaScript trigger stale field-pointer dereferences after the script deletes form fields, corrupting memory and crashing the application. The flaw affects Foxit PDF Editor 14.0.4 and earlier and Foxit PDF Reader 2026.1.1 and earlier and requires the victim to open a malicious file. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Foxit's own CVSS of 7.8 (C:H/I:H/A:H) implies potential code execution beyond the crash described.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1, 13.2.4, 14.0.4 and earlier) allows attackers to crash the application and potentially corrupt memory when a victim opens a malicious PDF whose embedded JavaScript walks a deliberately damaged form-field tree. The bug is a use-after-free (CWE-416): field traversal leaves the program holding a freed/invalid form object, and dereferencing that invalid pointer causes the crash. No public exploit identified at time of analysis; disclosure originates from Foxit's own security bulletin.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Memory corruption in Foxit PDF Reader and Foxit PDF Editor allows a crafted PDF to trigger a use-after-free through the embedded JavaScript engine, where a form field object is deleted and then re-accessed, crashing the application. The flaw affects PDF Editor through 13.2.4, 14.0.4, and 2026.1.1, and PDF Reader through 2026.1.1, and was reported by Foxit. No public exploit has been identified at time of analysis, though CVSS scores the impact as high across confidentiality, integrity, and availability, implying potential exploitation beyond a simple crash.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Use-after-free memory corruption in Foxit PDF Reader (2026.1.1 and earlier) and Foxit PDF Editor (through 14.0.4, 13.2.4, and 2026.1.1) allows a remote attacker to execute arbitrary code or crash the application when a victim opens a maliciously crafted PDF. The flaw stems from JavaScript-driven form modifications that leave page-related objects with incomplete lifecycle management, so the application dereferences freed/invalid objects on page-state changes. No public exploit identified at time of analysis, and it is not listed in CISA KEV; while the description emphasizes a crash, the CVSS vector rates full confidentiality, integrity, and availability impact, consistent with exploitable memory corruption.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Memory corruption in Foxit PDF Reader (≤2026.1.1) and Foxit PDF Editor (≤14.0.4, ≤13.2.4, and ≤2026.1.1) allows an attacker to trigger a use-after-free when a victim opens a maliciously crafted PDF whose hyperlink annotation objects use abnormal relationships and field combinations. The flaw manifests as an invalid pointer write during object destruction; while the vendor description only confirms an application crash, the vendor-assigned CVSS (C:H/I:H/A:H) and CWE-416 classification indicate potential for arbitrary code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Memory-corruption crash (and potential code execution) in Foxit PDF Reader and Foxit PDF Editor occurs when a PDF's embedded JavaScript writes annotation attributes without sufficient object-type and argument validation, corrupting the internal annotation structure so the application faults during subsequent object release (CWE-763). Local exploitation requires a user to open a crafted PDF; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV. The vendor rates full confidentiality, integrity, and availability impact (CVSS 7.8), though Foxit tags it as Denial of Service.

Denial Of Service Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
Prev Page 4 of 405 Next

Quick Facts

Typical Severity
MEDIUM
Category
other
Total CVEs
36442

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy