CWE-789
AllowedMemory Allocation with Excessive Size Value
Abstraction: Variant · Status: Draft
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
321 vulnerabilities reference this CWE, most recent first.
GHSA-5J7G-C464-CJ57
Vulnerability from github – Published: 2026-06-04 12:30 – Updated: 2026-06-04 12:30Memory allocation with excessive size value vulnerability in Samsung Open Source rlottie allows Excessive Allocation.
This issue affects rlottie: before 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd.
{
"affected": [],
"aliases": [
"CVE-2026-47319"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T10:16:39Z",
"severity": "MODERATE"
},
"details": "Memory allocation with excessive size value vulnerability in Samsung Open Source rlottie allows Excessive Allocation.\n\nThis issue affects rlottie: before 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd.",
"id": "GHSA-5j7g-c464-cj57",
"modified": "2026-06-04T12:30:25Z",
"published": "2026-06-04T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47319"
},
{
"type": "WEB",
"url": "https://github.com/Samsung/rlottie/pull/588"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5PX6-HG9V-R927
Vulnerability from github – Published: 2024-02-12 03:30 – Updated: 2025-11-04 21:31dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count.
{
"affected": [],
"aliases": [
"CVE-2023-52429"
],
"database_specific": {
"cwe_ids": [
"CWE-754",
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-12T03:15:32Z",
"severity": "MODERATE"
},
"details": "dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count.",
"id": "GHSA-5px6-hg9v-r927",
"modified": "2025-11-04T21:31:07Z",
"published": "2024-02-12T03:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52429"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd504bcfec41a503b32054da5472904b404341a4"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3LZROQAX7Q7LEP4F7WQ3KUZKWCZGFFP2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GS7S3XLTLOUKBXV67LLFZWB3YVFJZHRK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3LZROQAX7Q7LEP4F7WQ3KUZKWCZGFFP2"
},
{
"type": "WEB",
"url": "https://www.spinics.net/lists/dm-devel/msg56625.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5VRW-QJXW-89R5
Vulnerability from github – Published: 2026-03-19 18:31 – Updated: 2026-03-19 21:23Memory Allocation with Excessive Size Value (CWE-789) in the Prometheus remote_write HTTP handler in Metricbeat can lead Denial of Service via Excessive Allocation (CAPEC-130).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/elastic/beats/v7"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0.0-alpha2.0.20260112100137-de072c4e371e"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26931"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T21:23:04Z",
"nvd_published_at": "2026-03-19T17:16:23Z",
"severity": "MODERATE"
},
"details": "Memory Allocation with Excessive Size Value (CWE-789) in the Prometheus remote_write HTTP handler in Metricbeat can lead Denial of Service via Excessive Allocation (CAPEC-130).",
"id": "GHSA-5vrw-qjxw-89r5",
"modified": "2026-03-19T21:23:04Z",
"published": "2026-03-19T18:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26931"
},
{
"type": "WEB",
"url": "https://github.com/elastic/beats/commit/de072c4e371eafeb2a42d65b9ad513f666e4ffd7"
},
{
"type": "WEB",
"url": "https://discuss.elastic.co/t/metricbeat-8-19-13-9-2-5-security-update-esa-2026-09/385532"
},
{
"type": "PACKAGE",
"url": "https://github.com/elastic/beats"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Metricbeat Allocates Memory with Excessive Size Value Leading to Denial of Service"
}
GHSA-5WRP-CWCJ-Q835
Vulnerability from github – Published: 2026-05-28 17:04 – Updated: 2026-06-09 11:53Summary
https://github.com/open-telemetry/opentelemetry-go/pull/7880 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs.
Details
The commit removes the upfront baggage-string length check and the per-member size guard in parsing. Parse now walks the entire input with strings.SplitSeq and skips invalid members while continuing to process the rest. For very large or malformed baggage headers, the parser still fully tokenizes and percent-decodes each member, and errors are forwarded to the global error handler (default logging). This lets a remote client send oversized/invalid headers to trigger excessive CPU/memory work and potentially large log output before any size limit is enforced, creating a denial-of-service risk in services that do not already enforce strict header size limits.
Summary:
- In baggage/baggage.go, parseMember performs full parsing and PathUnescape on the entire member without any size guard, amplifying work for large inputs. Parse no longer checks bStr length and continues processing invalid members, so oversized/invalid headers are fully parsed instead of being rejected early.
- In propagation/baggage.go, parsing errors from attacker-controlled headers are sent to the global error handler (default logging), which can amplify oversized-input impact.
PoC
Impact
The issue is reachable through standard propagation parsing (in-scope) and can be exploited remotely to cause CPU/log amplification, but the impact is availability-only and bounded by transport header limits and configurable error handling, supporting a medium severity rather than high/critical.
baggage.Parse iterates over all list members with strings.SplitSeq and skips invalid members while continuing, without a raw-length guard. parseMember performs full parsing and PathUnescape on each member, and propagation.Baggage forwards parsing errors to the global error handler, which logs by default. A remote client can therefore send oversized/invalid baggage headers that bypass the 8KB limit for valid members, causing extra CPU work and large log output, resulting in availability/log amplification in services that accept large headers and use the default handler.
Assumptions:
- An instrumented service uses the OpenTelemetry baggage propagator for inbound request parsing.
- Attackers can send oversized or malformed baggage headers that pass the hosting server/proxy header size limits.
- The default error handler is used or logs are otherwise emitted for parse errors.
- Inbound request parsing with propagation.Baggage
- Oversized/invalid baggage headers accepted by the HTTP/gRPC stack
- Error handler not suppressing parse errors
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "go.opentelemetry.io/otel/baggage"
},
"ranges": [
{
"events": [
{
"introduced": "1.41.0"
},
{
"fixed": "1.42.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.41.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "go.opentelemetry.io/otel/propagation"
},
"ranges": [
{
"events": [
{
"introduced": "1.41.0"
},
{
"fixed": "1.42.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.41.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "go.opentelemetry.io/otel/baggage"
},
"ranges": [
{
"events": [
{
"introduced": "1.43.0"
},
{
"fixed": "1.44.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.43.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "go.opentelemetry.io/otel/propagation"
},
"ranges": [
{
"events": [
{
"introduced": "1.43.0"
},
{
"fixed": "1.44.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.43.0"
]
}
],
"aliases": [
"CVE-2026-41178"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-28T17:04:19Z",
"nvd_published_at": "2026-06-04T16:16:37Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nhttps://github.com/open-telemetry/opentelemetry-go/pull/7880 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs.\n\n\n### Details\n\nThe commit removes the upfront baggage-string length check and the per-member size guard in parsing. `Parse` now walks the entire input with `strings.SplitSeq` and skips invalid members while continuing to process the rest. For very large or malformed `baggage` headers, the parser still fully tokenizes and percent-decodes each member, and errors are forwarded to the global error handler (default logging). This lets a remote client send oversized/invalid headers to trigger excessive CPU/memory work and potentially large log output before any size limit is enforced, creating a denial-of-service risk in services that do not already enforce strict header size limits.\n\nSummary:\n- In `baggage/baggage.go`, `parseMember` performs full parsing and `PathUnescape` on the entire member without any size guard, amplifying work for large inputs. `Parse` no longer checks bStr length and continues processing invalid members, so oversized/invalid headers are fully parsed instead of being rejected early.\n- In `propagation/baggage.go`, parsing errors from attacker-controlled headers are sent to the global error handler (default logging), which can amplify oversized-input impact.\n\n### PoC\n\n[baggage_dos_poc.tar.gz](https://github.com/user-attachments/files/26677819/baggage_dos_poc.tar.gz)\n\n### Impact\n\nThe issue is reachable through standard propagation parsing (in-scope) and can be exploited remotely to cause CPU/log amplification, but the impact is availability-only and bounded by transport header limits and configurable error handling, supporting a medium severity rather than high/critical.\n\n`baggage.Parse` iterates over all list members with `strings.SplitSeq` and skips invalid members while continuing, without a raw-length guard. `parseMember` performs full parsing and `PathUnescape` on each member, and `propagation.Baggage` forwards parsing errors to the global error handler, which logs by default. A remote client can therefore send oversized/invalid baggage headers that bypass the 8KB limit for valid members, causing extra CPU work and large log output, resulting in availability/log amplification in services that accept large headers and use the default handler.\n\nAssumptions:\n\n- An instrumented service uses the OpenTelemetry baggage propagator for inbound request parsing.\n- Attackers can send oversized or malformed baggage headers that pass the hosting server/proxy header size limits.\n- The default error handler is used or logs are otherwise emitted for parse errors.\n- Inbound request parsing with propagation.Baggage\n- Oversized/invalid baggage headers accepted by the HTTP/gRPC stack\n- Error handler not suppressing parse errors",
"id": "GHSA-5wrp-cwcj-q835",
"modified": "2026-06-09T11:53:08Z",
"published": "2026-05-28T17:04:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-5wrp-cwcj-q835"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41178"
},
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-go/pull/7880"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-telemetry/opentelemetry-go"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "opentelemetry-go\u0027s baggage parsing no longer caps raw header length"
}
GHSA-655V-G44J-4FC7
Vulnerability from github – Published: 2024-11-23 03:31 – Updated: 2024-11-23 03:31IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
{
"affected": [],
"aliases": [
"CVE-2024-41761"
],
"database_specific": {
"cwe_ids": [
"CWE-770",
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-23T03:15:08Z",
"severity": "MODERATE"
},
"details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.",
"id": "GHSA-655v-g44j-4fc7",
"modified": "2024-11-23T03:31:59Z",
"published": "2024-11-23T03:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41761"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7175947"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-659W-93R5-9J6M
Vulnerability from github – Published: 2026-05-04 18:30 – Updated: 2026-05-08 17:54OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader
Versions Affected:
Before 2.5.9
Before 3.0.0-M3
Description:
The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed integer count field from a binary model stream and pass that value directly to an array allocation (new String[numOutcomes], new int[numOCTypes][], new String[NUM_PREDS]) without validating that the value is non-negative or within a reasonable bound. The count is therefore fully attacker-controlled when the model file originates from an untrusted source.
A crafted .bin model file in which any of these count fields is set to Integer.MAX_VALUE (or any value large enough to exhaust the available heap) triggers an OutOfMemoryError at the array allocation itself, before the corresponding label or pattern data is consumed from the stream. The error occurs very early in deserialization: for a GIS model, getOutcomes() is reached after only the model-type string, the correction constant, and the correction parameter have been read; so the attacker pays no meaningful size cost to weaponize a payload, and a single small file can crash a JVM that loads it. Any code path that deserializes a .bin model is affected, including direct use of GenericModelReader and any higher-level component that delegates to it during model load.
The practical impact is denial of service against processes that load model files from untrusted or semi-trusted origins.
Mitigation:
-
2.x users should upgrade to 2.5.9.
-
3.x users should upgrade to 3.0.0-M3.
Note: The fix introduces an upper bound on each of the three count fields, checked before array allocation; counts that are negative or exceed the bound cause an IllegalArgumentException to be thrown and the read to fail fast with no large allocation. The default bound is 10,000,000, which is well above the entry counts of legitimate OpenNLP models but far below any value that would threaten heap exhaustion. Deployments that legitimately need to load models with more entries than the default can raise the limit at JVM startup by setting the OPENNLP_MAX_ENTRIES system property to the desired positive integer (e.g. -DOPENNLP_MAX_ENTRIES=50000000); invalid or non-positive values fall back to the default.
Users who cannot upgrade immediately should treat all .bin model files as untrusted input unless their provenance is verified, and should avoid loading models supplied by end users or fetched from third-party repositories without integrity checks.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.opennlp:opennlp-tools"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.opennlp:opennlp-tools"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-M1"
},
{
"fixed": "3.0.0-M3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42440"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T17:54:23Z",
"nvd_published_at": "2026-05-04T17:16:26Z",
"severity": "HIGH"
},
"details": "OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader\u00a0\n\nVersions Affected:\u00a0\n\nBefore 2.5.9\n\nBefore 3.0.0-M3\u00a0\n\nDescription:\n\n\nThe AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed integer count field from a binary model stream and pass that value directly to an array allocation (new String[numOutcomes], new int[numOCTypes][], new String[NUM_PREDS]) without validating that the value is non-negative or within a reasonable bound. The count is therefore fully attacker-controlled when the model file originates from an untrusted source.\n\n\nA crafted .bin model file in which any of these count fields is set to Integer.MAX_VALUE (or any value large enough to exhaust the available heap) triggers an OutOfMemoryError at the array allocation itself, before the corresponding label or pattern data is consumed from the stream. The error occurs very early in deserialization: for a GIS model, getOutcomes() is reached after only the model-type string, the correction constant, and the correction parameter have been read; so the attacker pays no meaningful size cost to weaponize a payload, and a single small file can crash a JVM that loads it. Any code path that deserializes a .bin model is affected, including direct use of GenericModelReader and any higher-level component that delegates to it during model load.\n\n\nThe practical impact is denial of service against processes that load model files from untrusted or semi-trusted origins.\u00a0\u00a0\n\n\nMitigation:\n\n\n\n * 2.x users should upgrade to 2.5.9.\n\n * 3.x users should upgrade to 3.0.0-M3.\n\n\n\n\nNote: The fix introduces an upper bound on each of the three count fields, checked before array allocation; counts that are negative or exceed the bound cause an IllegalArgumentException to be thrown and the read to fail fast with no large allocation. The default bound is 10,000,000, which is well above the entry counts of legitimate OpenNLP models but far below any value that would threaten heap exhaustion. Deployments that legitimately need to load models with more entries than the default can raise the limit at JVM startup by setting the OPENNLP_MAX_ENTRIES system property to the desired positive integer (e.g. -DOPENNLP_MAX_ENTRIES=50000000); invalid or non-positive values fall back to the default.\n\n\nUsers who cannot upgrade immediately should treat all .bin model files as untrusted input unless their provenance is verified, and should avoid loading models supplied by end users or fetched from third-party repositories without integrity checks.",
"id": "GHSA-659w-93r5-9j6m",
"modified": "2026-05-08T17:54:23Z",
"published": "2026-05-04T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42440"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/opennlp"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/s8xlkx1gqbxfsq48py5h6jphjvgqp1jo"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/01/21"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache OpenNLP AbstractModelReader has an OOM Denial of Service via Unbounded Array Allocation"
}
GHSA-65H2-WF7M-Q2V8
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-05-03 20:27A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.undertow:undertow-parent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.24.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-3223"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2023-09-27T20:16:42Z",
"nvd_published_at": "2023-09-27T15:18:56Z",
"severity": "HIGH"
},
"details": "A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it\u0027s possible to bypass the limit by setting the file name in the request to null.",
"id": "GHSA-65h2-wf7m-q2v8",
"modified": "2024-05-03T20:27:47Z",
"published": "2023-09-27T15:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3223"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4505"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4506"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4507"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4509"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4918"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4919"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4920"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4921"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:4924"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:7247"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-3223"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209689"
},
{
"type": "PACKAGE",
"url": "https://github.com/undertow-io/undertow"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231027-0004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Undertow vulnerable to denial of service"
}
GHSA-6JP5-GRGH-JW42
Vulnerability from github – Published: 2026-02-04 20:47 – Updated: 2026-02-04 20:47Impact
VTPM server listens on port 8877, exposing limited TPM functionality. The server reads 4 bytes as a uint32 size header, then allocates that amount on the stack for incoming data. This allows Denial of Service attacks against the vTPM service.
An workload (a container or VM) running on EVE-OS can use this to generate a DOS against the vTPM service.
Patches
Fixed in 9.4.3-lts and 10.1.0
Workarounds
None
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lf-edge/eve"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20230519072751-977f42b07fa9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-43632"
],
"database_specific": {
"cwe_ids": [
"CWE-770",
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-04T20:47:37Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nVTPM server listens on port 8877, exposing limited TPM functionality. The server reads 4 bytes as a uint32 size header, then allocates that amount on the stack for incoming data. This allows Denial of Service attacks against the vTPM service.\n\nAn workload (a container or VM) running on EVE-OS can use this to generate a DOS against the vTPM service.\n\n### Patches\n\nFixed in 9.4.3-lts and 10.1.0\n\n### Workarounds\n\nNone",
"id": "GHSA-6jp5-grgh-jw42",
"modified": "2026-02-04T20:47:37Z",
"published": "2026-02-04T20:47:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lf-edge/eve/security/advisories/GHSA-6jp5-grgh-jw42"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43632"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/cve-2023-43632"
},
{
"type": "WEB",
"url": "https://asrg.io/security-advisories/freely-allocate-buffer-on-the-stack-with-data-from-socket"
},
{
"type": "PACKAGE",
"url": "https://github.com/lf-edge/eve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "EVE Freely Allocates Buffer on The Stack With Data From Socket"
}
GHSA-6MGC-4427-8P4X
Vulnerability from github – Published: 2026-03-17 21:31 – Updated: 2026-04-27 18:32dr_libs version 0.13.3 and earlier contain an uncontrolled memory allocation vulnerability in drflac__read_and_decode_metadata() that allows attackers to trigger excessive memory allocation by supplying crafted PICTURE metadata blocks. Attackers can exploit attacker-controlled mimeLength and descriptionLength fields to cause denial of service through memory exhaustion when processing FLAC streams with metadata callbacks.
{
"affected": [],
"aliases": [
"CVE-2026-32836"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-17T20:16:14Z",
"severity": "MODERATE"
},
"details": "dr_libs version 0.13.3 and earlier contain an uncontrolled memory allocation vulnerability in drflac__read_and_decode_metadata() that allows attackers to trigger excessive memory allocation by supplying crafted PICTURE metadata blocks. Attackers can exploit attacker-controlled mimeLength and descriptionLength fields to cause denial of service through memory exhaustion when processing FLAC streams with metadata callbacks.",
"id": "GHSA-6mgc-4427-8p4x",
"modified": "2026-04-27T18:32:01Z",
"published": "2026-03-17T21:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32836"
},
{
"type": "WEB",
"url": "https://github.com/mackron/dr_libs/issues/298"
},
{
"type": "WEB",
"url": "https://github.com/mackron/dr_libs/commit/4f5a4cd3b57564d969443c580c75857e039f100a"
},
{
"type": "WEB",
"url": "https://github.com/mackron/dr_libs/commit/663239a3d0460c33bd5b6e5166edcb404e3df676"
},
{
"type": "WEB",
"url": "https://github.com/mackron/dr_libs/commit/fefced4a64adfb1a68a2d31d882366e56096dee8"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/mackron-dr-libs-excessive-memory-allocation-in-picture-metadata-parsing"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6MJH-29CC-G228
Vulnerability from github – Published: 2025-03-27 15:31 – Updated: 2025-03-28 18:33An allocation-size-too-big error in the parseSWF_DEFINEBINARYDATA function of libming v0.48 allows attackers to cause a Denial of Service (DoS) via supplying a crafted SWF file.
{
"affected": [],
"aliases": [
"CVE-2025-29491"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-27T15:16:00Z",
"severity": "MODERATE"
},
"details": "An allocation-size-too-big error in the parseSWF_DEFINEBINARYDATA function of libming v0.48 allows attackers to cause a Denial of Service (DoS) via supplying a crafted SWF file.",
"id": "GHSA-6mjh-29cc-g228",
"modified": "2025-03-28T18:33:11Z",
"published": "2025-03-27T15:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29491"
},
{
"type": "WEB",
"url": "https://github.com/libming/libming/issues/330"
},
{
"type": "WEB",
"url": "https://github.com/goodmow/PoC/blob/main/libming/libming-fuzz10.readme"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
Mitigation
Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.
No CAPEC attack patterns related to this CWE.