CWE-789
AllowedMemory Allocation with Excessive Size Value
Abstraction: Variant · Status: Draft
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
321 vulnerabilities reference this CWE, most recent first.
GHSA-8WMX-4C83-GCJF
Vulnerability from github – Published: 2026-05-10 15:31 – Updated: 2026-05-10 15:31memono Notepad 4.2 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character buffers into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices.
{
"affected": [],
"aliases": [
"CVE-2021-47944"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-10T13:16:30Z",
"severity": "HIGH"
},
"details": "memono Notepad 4.2 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character buffers into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices.",
"id": "GHSA-8wmx-4c83-gcjf",
"modified": "2026-05-10T15:31:20Z",
"published": "2026-05-10T15:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47944"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49977"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/memono-notepad-denial-of-service-via-buffer-overflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9566-65PP-GHQG
Vulnerability from github – Published: 2025-05-12 18:31 – Updated: 2025-05-12 18:31IBM 4769 Developers Toolkit 7.0.0 through 7.5.52 could allow a remote attacker to cause a denial of service in the Hardware Security Module (HSM) due to improper memory allocation of an excessive size.
{
"affected": [],
"aliases": [
"CVE-2025-3632"
],
"database_specific": {
"cwe_ids": [
"CWE-770",
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-12T17:15:46Z",
"severity": "HIGH"
},
"details": "IBM 4769 Developers Toolkit 7.0.0 through 7.5.52 could allow a remote attacker to cause a denial of service in the Hardware Security Module (HSM) due to improper memory allocation of an excessive size.",
"id": "GHSA-9566-65pp-ghqg",
"modified": "2025-05-12T18:31:46Z",
"published": "2025-05-12T18:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3632"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7233139"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-97VP-PWQJ-46QC
Vulnerability from github – Published: 2026-03-17 17:48 – Updated: 2026-03-30 14:04Summary
A Remote OOM (Out-of-Memory) vulnerability exists in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an attacker-controlled 4-byte length prefix to allocate memory, with ServerMaxMessageSize allowing single allocations of up to ~2 GiB. A compromised implant or an attacker with valid credentials can exploit this by sending fabricated length prefixes over concurrent yamux streams (up to 128 per connection), forcing the server to attempt allocating ~256 GiB of memory and triggering an OS OOM kill. This crashes the Sliver server, disrupts all active implant sessions, and may degrade or kill other processes sharing the same host. The same pattern also affects all implant-side readers, which have no upper-bound check at all.
Root Cause Analysis
The C2 envelope framing protocol uses a 4-byte little-endian length prefix to delimit protobuf messages on the wire:
[raw_signature (74 bytes)] [uint32 length] [protobuf data]
In socketReadEnvelope, after reading the length prefix, the server immediately allocates a buffer of the attacker-specified size:
// server/c2/mtls.go
const ServerMaxMessageSize = (2 * 1024 * 1024 * 1024) - 1 // ~2 GiB
dataLength := int(binary.LittleEndian.Uint32(dataLengthBuf))
if dataLength <= 0 || ServerMaxMessageSize < dataLength {
return nil, errors.New("[pivot] invalid data length")
}
dataBuf := make([]byte, dataLength) // ← Allocates up to ~2 GiB
// ... data is read into buffer ...
// Envelope signature verification happens AFTER allocation and read:
if !ed25519.Verify(pubKey, dataBuf, signature) {
return nil, errors.New("[mtls] invalid signature")
}
Key issues:
- Excessive limit:
ServerMaxMessageSizeis set to(2 * 1024 * 1024 * 1024) - 1≈ 2 GiB, far exceeding any legitimate protobuf envelope (large payloads like screenshots and downloads are chunked at the RPC layer). - Allocation before envelope verification: While the TLS handshake validates the client certificate, the per-envelope ed25519 signature check (
ed25519.Verify) occurs after the buffer allocation andio.ReadFull. Once the TLS connection is established, no further cryptographic proof is needed to trigger the allocation. - Yamux amplification: The yamux session allows up to
mtlsYamuxMaxConcurrentStreams = 128concurrent streams. Each stream processessocketReadEnvelopeindependently, so a single connection can trigger 128 parallel ~2 GiB allocations. - Implant-side exposure: The implant-side readers (ReadEnvelope in mTLS/WireGuard, read() in pivots) have no upper-bound check at all — they accept any
dataLength > 0.
The same pattern exists in socketWGReadEnvelope for the WireGuard transport.
Note: The same unbounded allocation pattern is also present in implant-side readers, though it poses no immediate risk to the server 1, 2, 3, 4.
Proof of Concept
PoC Links: mtls_poc.go or Gist Version
1. Establish mTLS connection: Complete a valid TLS 1.3 handshake presenting a valid implant client certificate.
2. Negotiate yamux: Send the MUX/1 preface to enter multiplexed stream mode.
3. Open concurrent streams: Open multiple yamux streams (up to 128).
4. Send malicious length prefix: On each stream, send a 74-byte raw signature buffer followed by a 4-byte length prefix claiming 0x7FFFFFFF (2,147,483,647 bytes ≈ 2 GiB). No actual data needs to follow.
5. Result: Each stream triggers a make([]byte, 0x7FFFFFFF) allocation. With 128 concurrent streams, the server process attempts to allocate up to ~256 GiB of memory, causing the OS OOM killer to terminate the process.
Impact
- Server availability: The Sliver server process is killed. Active implant sessions are disrupted until the operator manually restarts the server.
- Host degradation: On hosts with swap enabled, the OOM event may cause swap thrashing and degrade other services sharing the same host before the process is killed.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/bishopfox/sliver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.7.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32941"
],
"database_specific": {
"cwe_ids": [
"CWE-770",
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T17:48:45Z",
"nvd_published_at": "2026-03-20T04:16:49Z",
"severity": "MODERATE"
},
"details": "# Summary\nA Remote OOM (Out-of-Memory) vulnerability exists in the Sliver C2 server\u0027s mTLS and WireGuard C2 transport layer. The\u00a0`socketReadEnvelope`\u00a0and `socketWGReadEnvelope`\u00a0functions trust an attacker-controlled 4-byte length prefix to allocate memory, with\u00a0`ServerMaxMessageSize`\u00a0allowing single allocations of up to\u00a0**~2 GiB**. A compromised implant or an attacker with valid credentials can exploit this by sending fabricated length prefixes over concurrent yamux streams (up to 128 per connection), forcing the server to attempt allocating\u00a0**~256 GiB**\u00a0of memory and triggering an OS OOM kill. This crashes the Sliver server, disrupts all active implant sessions, and may degrade or kill other processes sharing the same host. The same pattern also affects all implant-side readers, which have\u00a0**no**\u00a0upper-bound check at all.\n\n---\n# Root Cause Analysis\n\nThe C2 envelope framing protocol uses a 4-byte little-endian length prefix to delimit protobuf messages on the wire:\n\n```\n[raw_signature (74 bytes)] [uint32 length] [protobuf data]\n```\n\nIn [socketReadEnvelope](https://github.com/BishopFox/sliver/blob/master/server/c2/mtls.go#L337-L392), after reading the length prefix, the server immediately allocates a buffer of the attacker-specified size:\n\n```go\n// server/c2/mtls.go\nconst ServerMaxMessageSize = (2 * 1024 * 1024 * 1024) - 1 // ~2 GiB\n\ndataLength := int(binary.LittleEndian.Uint32(dataLengthBuf))\nif dataLength \u003c= 0 || ServerMaxMessageSize \u003c dataLength {\n return nil, errors.New(\"[pivot] invalid data length\")\n}\ndataBuf := make([]byte, dataLength) // \u2190 Allocates up to ~2 GiB\n\n// ... data is read into buffer ...\n\n// Envelope signature verification happens AFTER allocation and read:\nif !ed25519.Verify(pubKey, dataBuf, signature) {\n return nil, errors.New(\"[mtls] invalid signature\")\n}\n```\n\n**Key issues:**\n\n1. **Excessive limit**: `ServerMaxMessageSize` is set to `(2 * 1024 * 1024 * 1024) - 1` \u2248 **2 GiB**, far exceeding any legitimate protobuf envelope (large payloads like screenshots and downloads are chunked at the RPC layer).\n2. **Allocation before envelope verification**: While the TLS handshake validates the client certificate, the per-envelope ed25519 signature check (`ed25519.Verify`) occurs **after** the buffer allocation and `io.ReadFull`. Once the TLS connection is established, no further cryptographic proof is needed to trigger the allocation.\n3. **Yamux amplification**: The yamux session allows up to `mtlsYamuxMaxConcurrentStreams = 128` concurrent streams. Each stream processes `socketReadEnvelope` independently, so a single connection can trigger **128 parallel ~2 GiB allocations**.\n4. **Implant-side exposure**: The implant-side readers ([ReadEnvelope](https://github.com/BishopFox/sliver/blob/master/implant/sliver/transports/mtls/mtls.go#L184) in mTLS/WireGuard, [read()](https://github.com/BishopFox/sliver/blob/master/implant/sliver/pivots/pivots.go#L478) in pivots) have **no upper-bound check at all** \u2014 they accept any `dataLength \u003e 0`.\n\nThe same pattern exists in [socketWGReadEnvelope](https://github.com/BishopFox/sliver/blob/master/server/c2/wireguard.go#L428-L487) for the WireGuard transport.\n\n\n_Note: The same unbounded allocation pattern is also present in implant-side readers, though it poses no immediate risk to the server [1](https://github.com/BishopFox/sliver/blob/master/implant/sliver/transports/mtls/mtls.go#L185), [2](https://github.com/BishopFox/sliver/blob/master/implant/sliver/transports/wireguard/wireguard.go#L178), [3](https://github.com/BishopFox/sliver/blob/master/implant/sliver/pivots/pivots.go), [4](https://github.com/BishopFox/sliver/blob/master/implant/sliver/transports/pivotclients/pivotclient.go)._\n\n\n---\n\n# Proof of Concept\nPoC Links: [mtls_poc.go](https://github.com/skoveit/Sliver-OOM-DoS-PoC/) or [Gist Version](https://gist.github.com/skoveit/08f3ec08ffbf3deeff189a83ef827dcf)\n1. **Establish mTLS connection**: Complete a valid TLS 1.3 handshake presenting a valid implant client certificate.\n2. **Negotiate yamux**: Send the `MUX/1` preface to enter multiplexed stream mode.\n3. **Open concurrent streams**: Open multiple yamux streams (up to 128).\n4. **Send malicious length prefix**: On each stream, send a 74-byte raw signature buffer followed by a 4-byte length prefix claiming `0x7FFFFFFF` (2,147,483,647 bytes \u2248 2 GiB). No actual data needs to follow.\n5. **Result**: Each stream triggers a `make([]byte, 0x7FFFFFFF)` allocation. With 128 concurrent streams, the server process attempts to allocate **up to ~256 GiB** of memory, causing the OS OOM killer to terminate the process.\n\n# Impact\n- **Server availability**: The Sliver server process is killed. Active implant sessions are disrupted until the operator manually restarts the server.\n- **Host degradation**: On hosts with swap enabled, the OOM event may cause swap thrashing and degrade other services sharing the same host before the process is killed.",
"id": "GHSA-97vp-pwqj-46qc",
"modified": "2026-03-30T14:04:02Z",
"published": "2026-03-17T17:48:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-97vp-pwqj-46qc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32941"
},
{
"type": "WEB",
"url": "https://gist.github.com/skoveit/08f3ec08ffbf3deeff189a83ef827dcf"
},
{
"type": "PACKAGE",
"url": "https://github.com/BishopFox/sliver"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Sliver Vulnerable to Authenticated OOM via Memory Exhaustion in mTLS/WireGuard Transports"
}
GHSA-9M3W-2GGJ-2VQW
Vulnerability from github – Published: 2023-09-27 18:30 – Updated: 2024-01-25 18:30A vulnerability in the Wireless Network Control daemon (wncd) of Cisco IOS XE Software for Wireless LAN Controllers could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition.
This vulnerability is due to improper memory management. An attacker could exploit this vulnerability by sending a series of network requests to an affected device. A successful exploit could allow the attacker to cause the wncd process to consume available memory and eventually cause the device to reload, resulting in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2023-20202"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T18:15:11Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the Wireless Network Control daemon (wncd) of Cisco IOS XE Software for Wireless LAN Controllers could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition.\n\n This vulnerability is due to improper memory management. An attacker could exploit this vulnerability by sending a series of network requests to an affected device. A successful exploit could allow the attacker to cause the wncd process to consume available memory and eventually cause the device to reload, resulting in a DoS condition.",
"id": "GHSA-9m3w-2ggj-2vqw",
"modified": "2024-01-25T18:30:44Z",
"published": "2023-09-27T18:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20202"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-wncd-HFGMsfSD"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9MV9-GW4X-7XW4
Vulnerability from github – Published: 2025-11-15 09:30 – Updated: 2025-11-15 09:30GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to cause a denial of service condition by submitting specially crafted markdown content with nested formatting patterns.
{
"affected": [],
"aliases": [
"CVE-2025-12983"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-15T09:15:41Z",
"severity": "LOW"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated attacker to cause a denial of service condition by submitting specially crafted markdown content with nested formatting patterns.",
"id": "GHSA-9mv9-gw4x-7xw4",
"modified": "2025-11-15T09:30:25Z",
"published": "2025-11-15T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12983"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3419588"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/296257"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-C38H-7XM3-HV7V
Vulnerability from github – Published: 2026-07-15 15:33 – Updated: 2026-07-15 15:33DoS vulnerability in the vibration service. Impact: Successful exploitation of this vulnerability may affect availability.
{
"affected": [],
"aliases": [
"CVE-2026-58559"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-15T13:17:31Z",
"severity": "MODERATE"
},
"details": "DoS vulnerability in the vibration service.\u00a0Impact: Successful exploitation of this vulnerability may affect availability.",
"id": "GHSA-c38h-7xm3-hv7v",
"modified": "2026-07-15T15:33:06Z",
"published": "2026-07-15T15:33:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58559"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2026/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C7PR-383R-XGG3
Vulnerability from github – Published: 2026-03-12 18:30 – Updated: 2026-03-27 18:31A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition
{
"affected": [],
"aliases": [
"CVE-2026-28253"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-12T18:16:23Z",
"severity": "HIGH"
},
"details": "A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition",
"id": "GHSA-c7pr-383r-xgg3",
"modified": "2026-03-27T18:31:22Z",
"published": "2026-03-12T18:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28253"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-071-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-C9H3-C6QJ-HH7Q
Vulnerability from github – Published: 2022-09-21 00:00 – Updated: 2024-05-08 17:44A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.kafka:kafka"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.kafka:kafka"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.kafka:kafka"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.kafka:kafka"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0"
},
{
"fixed": "3.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-34917"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770",
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-21T21:15:52Z",
"nvd_published_at": "2022-09-20T09:15:00Z",
"severity": "HIGH"
},
"details": "A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.",
"id": "GHSA-c9h3-c6qj-hh7q",
"modified": "2024-05-08T17:44:34Z",
"published": "2022-09-21T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34917"
},
{
"type": "WEB",
"url": "https://github.com/apache/kafka/commit/14951a83e3fdead212156e5532359500d72f68bc"
},
{
"type": "WEB",
"url": "https://github.com/apache/kafka/commit/2bfa24b2bd416e7b8c4a0c566b984c43904fdecb"
},
{
"type": "WEB",
"url": "https://github.com/apache/kafka/commit/aaceb6b79bfcb1d32874ccdbc8f3138d1c1c00fb"
},
{
"type": "WEB",
"url": "https://github.com/apache/kafka/commit/c1295662768e64b4467e27c3d5158f95f2307657"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/KAFKA-14063"
},
{
"type": "WEB",
"url": "https://kafka.apache.org/cve-list"
},
{
"type": "WEB",
"url": "https://kafka.apache.org/cve-list#CVE-2022-34917"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Kafka vulnerability can lead to brokers hitting OutOfMemoryException, causing Denial of Service"
}
GHSA-C9VX-X9Q2-FFX8
Vulnerability from github – Published: 2026-02-25 18:31 – Updated: 2026-02-25 18:31A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco Nexus 9000 Series Fabric Switches in ACI mode could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
This vulnerability is due to improper processing when parsing SNMP requests. An attacker could exploit this vulnerability by continuously sending SNMP queries to a specific MIB of an affected device. A successful exploit could allow the attacker to cause a kernel panic on the device, resulting in a reload and a DoS condition. Note: This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMPv1 or SNMPv2c, the attacker must have a valid read-only SNMP community string for the affected system. To exploit this vulnerability through SNMPv3, the attacker must have valid SNMP user credentials for the affected system.
{
"affected": [],
"aliases": [
"CVE-2026-20048"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-25T17:25:25Z",
"severity": "HIGH"
},
"details": "A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco Nexus 9000 Series Fabric Switches in ACI mode could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.\n\nThis vulnerability is due to improper processing when parsing SNMP requests. An attacker could exploit this vulnerability by continuously sending SNMP queries\u0026nbsp;to a specific MIB of an affected device. A successful exploit could allow the attacker to cause a kernel panic on the device, resulting in a reload and a\u0026nbsp;DoS condition.\nNote: This vulnerability affects SNMP versions 1, 2c, and 3. To exploit\u0026nbsp;this vulnerability through SNMPv1 or\u0026nbsp;SNMPv2c, the attacker must have a valid read-only SNMP community string for the affected system. To exploit this vulnerability through SNMPv3, the attacker must have valid SNMP user credentials for the affected system.",
"id": "GHSA-c9vx-x9q2-ffx8",
"modified": "2026-02-25T18:31:38Z",
"published": "2026-02-25T18:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20048"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-dsnmp-cNN39Uh"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CF4R-4Q6G-M584
Vulnerability from github – Published: 2026-05-16 18:31 – Updated: 2026-05-16 18:31Sticky Notes Widget 3.0.6 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices.
{
"affected": [],
"aliases": [
"CVE-2021-47973"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-16T16:16:22Z",
"severity": "HIGH"
},
"details": "Sticky Notes Widget 3.0.6 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices.",
"id": "GHSA-cf4r-4q6g-m584",
"modified": "2026-05-16T18:31:38Z",
"published": "2026-05-16T18:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47973"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49978"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/sticky-notes-widget-denial-of-service-via-buffer-overflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
Mitigation
Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.
No CAPEC attack patterns related to this CWE.