Common Weakness Enumeration

CWE-1325

Allowed

Improperly Controlled Sequential Memory Allocation

Abstraction: Base · Status: Incomplete

The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects.

31 vulnerabilities reference this CWE, most recent first.

GHSA-CH76-JRMH-QM2H

Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30
VLAI
Details

An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. This contributes to memory pressure and may lead to availability loss by OOM.

This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1325"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-13T04:17:41Z",
    "severity": "HIGH"
  },
  "details": "An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. This contributes to memory pressure and may lead to availability loss by OOM.\n\nThis issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.",
  "id": "GHSA-ch76-jrmh-qm2h",
  "modified": "2026-05-13T18:30:51Z",
  "published": "2026-05-13T18:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8199"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/SERVER-122449"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F5V8-V6Q3-Q4H6

Vulnerability from github – Published: 2026-04-16 22:50 – Updated: 2026-04-16 22:50
VLAI
Summary
Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out)
Details

Summary

Meridian v2.1.0 (Meridian.Mapping and Meridian.Mediator) shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity — the advertised DefaultMaxCollectionItems and DefaultMaxDepth safety caps are silently bypassed on the IMapper.Map(source, destination) overload and anywhere .UseDestinationValue() is configured on a collection-typed property. Four are MEDIUM (constructor invariant bypass, OpenTelemetry stack-trace info disclosure, retry amplification, notification fan-out amplification). Three are LOW (exception message disclosure, dictionary duplicate-key echo, static mediator cache growth under closed-generic types).

All nine are patched in v2.1.1. Upgrade is a drop-in NuGet bump; see the v2.1.1 CHANGELOG for the four behavioural changes (constructor selection, OTel default, publisher fan-out cap, retry caps).

Severity Matrix

# Severity CWE Finding Fix
1 HIGH CWE-770 MappingEngine.TryMapCollectionOntoExisting enumerated the source without enforcing DefaultMaxCollectionItems. Reachable via Mapper.Map<TSrc,TDst>(src, dst) and any .ForMember(..., o => o.UseDestinationValue()) on a collection member through a plain Map(src) call. Shared cap enforcement helper between MapCollection and TryMapCollectionOntoExisting.
2 HIGH CWE-674 Collection-item recursion in the existing-destination path did not increment ResolutionContext.Depth, so self-referential collection graphs could reach stack overflow before DefaultMaxDepth fired. Depth increments at every collection-item boundary.
3 MEDIUM CWE-665 ObjectCreator.CreateWithConstructorMapping always invoked the widest public constructor, silently filling unresolved parameters with default(T) and bypassing narrower-ctor invariants. Widest-ctor selection now requires every parameter to be bound via explicit ctor mapping, source-name match, or a C# optional default.
4 MEDIUM CWE-532 Mediator.MarkActivityFailure emitted the full ex.ToString() (stack + inner chain) to the OpenTelemetry exception.stacktrace activity tag by default, leaking context to any shared trace sink. Gated on MediatorTelemetryOptions.RecordExceptionStackTrace — opt-in, default false.
5 MEDIUM CWE-400 RetryBehavior retried every exception type with unbounded MaxRetries; the exponential-backoff delay overflowed TimeSpan at ~30 attempts. No cancellation exclusion. Server-side MaxRetriesCap = 10, MaxBackoff = 5 min, OperationCanceledException short-circuit, recommended RetryPolicy.TransientOnly helper.
6 MEDIUM CWE-400 TaskWhenAllPublisher started every registered handler concurrently with no bound on fan-out. New constructor parameter maxDegreeOfParallelism (default 16; -1 restores legacy unbounded).
7 LOW CWE-209 Public mapping exceptions leaked FullName of source/destination types and concatenated inner exception messages into top-level property-mapping errors. Scrubbed to type Name; inner details only via InnerException chain.
8 LOW CWE-209 Dictionary materialization threw ArgumentException on duplicate keys, echoing the attacker-supplied key's .ToString(). Last-write-wins indexer semantics.
9 LOW CWE-1325 Static mediator handler caches grow monotonically under closed-generic request types. Doc-only mitigation; no code change — consumers must not allow attacker-controlled runtime type materialization to reach Send, Publish, or CreateStream. Documented in docs/security-model.md.

Exploitation

Finding 1 / 2 (headline): A consumer that maps user-supplied collection payloads onto an existing destination list via mapper.Map(userCollection, existingList) — a documented and commonly used AutoMapper-style idiom — processes the full attacker-supplied collection with no size cap and no depth cap. An attacker sending a single request with a large (or self-referential) collection payload can block the worker thread for seconds and exhaust the managed heap or the call stack. Equivalent exposure through .UseDestinationValue() on a collection-typed destination member, reachable via a plain Map(src) call whose destination type default-initializes that member.

Finding 3: A destination type with multiple public constructors that differ only in their parameter-binding invariants (e.g., new UserAccount(string name, Email email) enforcing a non-default Email) could be instantiated with the narrower ctor's invariants silently bypassed if any source field was absent — the widest ctor was always picked, with unbound parameters replaced by default(T).

Findings 4 / 5 / 6: Amplification / information-disclosure vectors described in the matrix above. Each requires moderate integration context (telemetry sink trust, handler count, retry policy) to weaponize, but each is reachable through public APIs without authentication.

Patches

  • Meridian.Mapping 2.1.1 (published 2026-04-16)
  • Meridian.Mediator 2.1.1 (published 2026-04-16)

Verified via: - GitHub Release assets at https://github.com/UmutKorkmaz/meridian/releases/tag/v2.1.1 - Sigstore attestation (actions/attest-build-provenance@v2gh attestation verify green on both .nupkg from the GitHub Release) - NuGet.org indexed both packages within the release workflow run

Workarounds

Users who cannot upgrade immediately may: 1. Avoid mapper.Map(src, dst) and .UseDestinationValue() on collection-typed destination members. 2. Wrap input collection deserialization with an explicit size limit before handing the payload to Meridian. 3. Register TaskWhenAllPublisher with maxDegreeOfParallelism ≤ 16 manually (v2.1.1+ only). 4. Disable OpenTelemetry exception.stacktrace tag emission at the trace exporter level if your trace sink is less trusted than your application.

These are defense-in-depth; the only complete mitigation is upgrading to 2.1.1.

Supported Versions

As of this advisory the supported security branch is 2.1.x. The 2.0.x line (published 2026-04-15) is not receiving the Phase 1 safety-defaults infrastructure needed to carry the HIGH-severity fixes, so 2.0.x is deprecated in favor of 2.1.x. See SECURITY.md for the updated supported-versions table.

Credits

  • UmutKorkmaz (reporter and maintainer)

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Meridian.Mapping"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Meridian.Mediator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1325",
      "CWE-209",
      "CWE-400",
      "CWE-532",
      "CWE-665",
      "CWE-674",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T22:50:37Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nMeridian v2.1.0 (`Meridian.Mapping` and `Meridian.Mediator`) shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity \u2014 the advertised `DefaultMaxCollectionItems` and `DefaultMaxDepth` safety caps are silently bypassed on the `IMapper.Map(source, destination)` overload and anywhere `.UseDestinationValue()` is configured on a collection-typed property. Four are MEDIUM (constructor invariant bypass, OpenTelemetry stack-trace info disclosure, retry amplification, notification fan-out amplification). Three are LOW (exception message disclosure, dictionary duplicate-key echo, static mediator cache growth under closed-generic types).\n\nAll nine are patched in **v2.1.1**. Upgrade is a drop-in NuGet bump; see the v2.1.1 CHANGELOG for the four behavioural changes (constructor selection, OTel default, publisher fan-out cap, retry caps).\n\n## Severity Matrix\n\n| # | Severity | CWE | Finding | Fix |\n|---|---|---|---|---|\n| 1 | **HIGH** | CWE-770 | `MappingEngine.TryMapCollectionOntoExisting` enumerated the source without enforcing `DefaultMaxCollectionItems`. Reachable via `Mapper.Map\u003cTSrc,TDst\u003e(src, dst)` and any `.ForMember(..., o =\u003e o.UseDestinationValue())` on a collection member through a plain `Map(src)` call. | Shared cap enforcement helper between `MapCollection` and `TryMapCollectionOntoExisting`. |\n| 2 | **HIGH** | CWE-674 | Collection-item recursion in the existing-destination path did not increment `ResolutionContext.Depth`, so self-referential collection graphs could reach stack overflow before `DefaultMaxDepth` fired. | Depth increments at every collection-item boundary. |\n| 3 | MEDIUM | CWE-665 | `ObjectCreator.CreateWithConstructorMapping` always invoked the widest public constructor, silently filling unresolved parameters with `default(T)` and bypassing narrower-ctor invariants. | Widest-ctor selection now requires every parameter to be bound via explicit ctor mapping, source-name match, or a C# optional default. |\n| 4 | MEDIUM | CWE-532 | `Mediator.MarkActivityFailure` emitted the full `ex.ToString()` (stack + inner chain) to the OpenTelemetry `exception.stacktrace` activity tag by default, leaking context to any shared trace sink. | Gated on `MediatorTelemetryOptions.RecordExceptionStackTrace` \u2014 opt-in, default `false`. |\n| 5 | MEDIUM | CWE-400 | `RetryBehavior` retried every exception type with unbounded `MaxRetries`; the exponential-backoff delay overflowed `TimeSpan` at ~30 attempts. No cancellation exclusion. | Server-side `MaxRetriesCap = 10`, `MaxBackoff = 5 min`, `OperationCanceledException` short-circuit, recommended `RetryPolicy.TransientOnly` helper. |\n| 6 | MEDIUM | CWE-400 | `TaskWhenAllPublisher` started every registered handler concurrently with no bound on fan-out. | New constructor parameter `maxDegreeOfParallelism` (default 16; `-1` restores legacy unbounded). |\n| 7 | LOW | CWE-209 | Public mapping exceptions leaked `FullName` of source/destination types and concatenated inner exception messages into top-level property-mapping errors. | Scrubbed to type `Name`; inner details only via `InnerException` chain. |\n| 8 | LOW | CWE-209 | Dictionary materialization threw `ArgumentException` on duplicate keys, echoing the attacker-supplied key\u0027s `.ToString()`. | Last-write-wins indexer semantics. |\n| 9 | LOW | CWE-1325 | Static mediator handler caches grow monotonically under closed-generic request types. **Doc-only mitigation**; no code change \u2014 consumers must not allow attacker-controlled runtime type materialization to reach `Send`, `Publish`, or `CreateStream`. | Documented in `docs/security-model.md`. |\n\n## Exploitation\n\n**Finding 1 / 2 (headline):** A consumer that maps user-supplied collection payloads onto an existing destination list via `mapper.Map(userCollection, existingList)` \u2014 a documented and commonly used AutoMapper-style idiom \u2014 processes the full attacker-supplied collection with no size cap and no depth cap. An attacker sending a single request with a large (or self-referential) collection payload can block the worker thread for seconds and exhaust the managed heap or the call stack. Equivalent exposure through `.UseDestinationValue()` on a collection-typed destination member, reachable via a plain `Map(src)` call whose destination type default-initializes that member.\n\n**Finding 3:** A destination type with multiple public constructors that differ only in their parameter-binding invariants (e.g., `new UserAccount(string name, Email email)` enforcing a non-default `Email`) could be instantiated with the narrower ctor\u0027s invariants silently bypassed if any source field was absent \u2014 the widest ctor was always picked, with unbound parameters replaced by `default(T)`.\n\n**Findings 4 / 5 / 6:** Amplification / information-disclosure vectors described in the matrix above. Each requires moderate integration context (telemetry sink trust, handler count, retry policy) to weaponize, but each is reachable through public APIs without authentication.\n\n## Patches\n\n- `Meridian.Mapping` **2.1.1** (published 2026-04-16)\n- `Meridian.Mediator` **2.1.1** (published 2026-04-16)\n\nVerified via:\n- GitHub Release assets at \u003chttps://github.com/UmutKorkmaz/meridian/releases/tag/v2.1.1\u003e\n- Sigstore attestation (`actions/attest-build-provenance@v2` \u2192 `gh attestation verify` green on both `.nupkg` from the GitHub Release)\n- NuGet.org indexed both packages within the release workflow run\n\n## Workarounds\n\nUsers who cannot upgrade immediately may:\n1. Avoid `mapper.Map(src, dst)` and `.UseDestinationValue()` on collection-typed destination members.\n2. Wrap input collection deserialization with an explicit size limit before handing the payload to Meridian.\n3. Register `TaskWhenAllPublisher` with `maxDegreeOfParallelism` \u2264 16 manually (v2.1.1+ only).\n4. Disable OpenTelemetry `exception.stacktrace` tag emission at the trace exporter level if your trace sink is less trusted than your application.\n\nThese are defense-in-depth; the only complete mitigation is upgrading to 2.1.1.\n\n## Supported Versions\n\nAs of this advisory the supported security branch is **2.1.x**. The 2.0.x line (published 2026-04-15) is not receiving the Phase 1 safety-defaults infrastructure needed to carry the HIGH-severity fixes, so 2.0.x is deprecated in favor of 2.1.x. See `SECURITY.md` for the updated supported-versions table.\n\n## Credits\n\n- UmutKorkmaz (reporter and maintainer)\n\n## References\n\n- v2.1.1 CHANGELOG section: \u003chttps://github.com/UmutKorkmaz/meridian/blob/main/CHANGELOG.md#211---2026-04-16\u003e\n- `docs/security-model.md` threat model: \u003chttps://github.com/UmutKorkmaz/meridian/blob/main/docs/security-model.md\u003e\n- `SECURITY.md` disclosure policy: \u003chttps://github.com/UmutKorkmaz/meridian/blob/main/SECURITY.md\u003e\n- AutoMapper CVE-2026-32933 (motivating precedent for Meridian\u0027s safety-defaults)",
  "id": "GHSA-f5v8-v6q3-q4h6",
  "modified": "2026-04-16T22:50:37Z",
  "published": "2026-04-16T22:50:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/UmutKorkmaz/meridian/security/advisories/GHSA-f5v8-v6q3-q4h6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/UmutKorkmaz/meridian"
    },
    {
      "type": "WEB",
      "url": "https://github.com/UmutKorkmaz/meridian/blob/main/CHANGELOG.md#211---2026-04-16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/UmutKorkmaz/meridian/releases/tag/v2.1.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out)"
}

GHSA-F5VX-F6JP-89J6

Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-10 18:31
VLAI
Details

Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames.

Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service.

A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-34183"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1325"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T17:17:05Z",
    "severity": "HIGH"
  },
  "details": "Issue summary: Remote peer may exhaust heap memory of the QUIC\nserver or client by flooding it with packets containing PATH_CHALLENGE\nframes.\n\nImpact summary: A malicious remote peer can cause an unbounded\nmemory allocation which can lead to an abnormal termination of the\napplication acting as a QUIC client or server and a Denial of Service.\n\nA remote peer may exhaust heap memory by flooding the local\nQUIC stack with PATH_CHALLENGE frames. The local QUIC stack\nallocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives.\nThe allocated PATH_RESPONSE frame gets freed only when the remote\npeer acknowledges reception of the PATH_RESPONSE frame which will\nnot be done by a malicious peer.\n\nThe FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by\nthis issue. The QUIC stack is outside of OpenSSL FIPS module\nboundary.",
  "id": "GHSA-f5vx-f6jp-89j6",
  "modified": "2026-06-10T18:31:41Z",
  "published": "2026-06-09T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34183"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/d2e9efbe4900a373227deb136e8665401404ffac"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/security/commit/5b306efb0b3779dfdd0803b4afc9d08c91f11517"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/security/commit/7d06955ebe0ecf8adfd4c1e92018586da47ef9ac"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/security/commit/d2e9efbe4900a373227deb136e8665401404ffac"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/security/commit/fbaa83859c01ad64f497b757aaf51be7d05ed9eb"
    },
    {
      "type": "WEB",
      "url": "https://openssl-library.org/news/secadv/20260609.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GCCJ-RGH5-5X96

Vulnerability from github – Published: 2024-07-09 12:30 – Updated: 2024-07-09 12:30
VLAI
Details

A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.5), SIMATIC Energy Manager PRO (All versions < V7.5), SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions), SIMIT V10 (All versions), SIMIT V11 (All versions < V11.1). Unified Automation .NET based OPC UA Server SDK before 3.2.2 used in Siemens products are affected by a similar vulnerability as documented in CVE-2023-27321 for the OPC Foundation UA .NET Standard implementation. A successful attack may lead to high load situation and memory exhaustion, and may block the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1325"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T12:15:11Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions \u003c V7.5), SIMATIC Energy Manager PRO (All versions \u003c V7.5), SIMATIC IPC DiagBase (All versions), SIMATIC IPC DiagMonitor (All versions), SIMIT V10 (All versions), SIMIT V11 (All versions \u003c V11.1). Unified Automation .NET based OPC UA Server SDK before 3.2.2 used in Siemens products are affected by a similar vulnerability as documented in CVE-2023-27321 for the OPC Foundation UA .NET Standard implementation. A successful attack may lead to high load situation and memory exhaustion, and may block the server.",
  "id": "GHSA-gccj-rgh5-5x96",
  "modified": "2024-07-09T12:30:57Z",
  "published": "2024-07-09T12:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52891"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-088132.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GFH6-3PQW-X2J4

Vulnerability from github – Published: 2025-03-12 15:32 – Updated: 2025-05-21 21:36
VLAI
Summary
SmallRye Fault Tolerance out-of-memory (OOM) issue
Details

A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.smallrye:smallrye-fault-tolerance-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.3.0"
            },
            {
              "fixed": "6.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.smallrye:smallrye-fault-tolerance-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.5.0"
            },
            {
              "fixed": "6.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-2240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1325"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-12T20:19:58Z",
    "nvd_published_at": "2025-03-12T15:15:42Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.",
  "id": "GHSA-gfh6-3pqw-x2j4",
  "modified": "2025-05-21T21:36:33Z",
  "published": "2025-03-12T15:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2240"
    },
    {
      "type": "WEB",
      "url": "https://github.com/smallrye/smallrye-fault-tolerance/pull/985"
    },
    {
      "type": "WEB",
      "url": "https://github.com/smallrye/smallrye-fault-tolerance/pull/985/files#diff-88c4a089e0cb88e4bdf285490e2617c29b9979a778e33957e4448260e286b91aR299"
    },
    {
      "type": "WEB",
      "url": "https://github.com/smallrye/smallrye-fault-tolerance/commit/e8bcad3d5e8bbac0a3219bd5c13661adf6ed6bbb"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:3376"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:3541"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:3543"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-2240"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351452"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/smallrye/smallrye-fault-tolerance"
    },
    {
      "type": "WEB",
      "url": "https://smallrye.io/blog/fault-tolerance-6-9-0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SmallRye Fault Tolerance out-of-memory (OOM) issue"
}

GHSA-Q3P3-3QHR-3586

Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-04-30 15:30
VLAI
Details

Dissection engine LZ77 decompression crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6533"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1325"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-30T07:16:40Z",
    "severity": "MODERATE"
  },
  "details": "Dissection engine LZ77 decompression crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service",
  "id": "GHSA-q3p3-3qhr-3586",
  "modified": "2026-04-30T15:30:39Z",
  "published": "2026-04-30T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6533"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/issues/21127"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/work_items/21127"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2026-28.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R6MG-V3F6-8V7R

Vulnerability from github – Published: 2026-04-30 09:30 – Updated: 2026-04-30 09:30
VLAI
Details

SMB2 protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1325"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-30T07:16:41Z",
    "severity": "MODERATE"
  },
  "details": "SMB2 protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service",
  "id": "GHSA-r6mg-v3f6-8v7r",
  "modified": "2026-04-30T09:30:25Z",
  "published": "2026-04-30T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6867"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/wireshark/wireshark/-/work_items/21191"
    },
    {
      "type": "WEB",
      "url": "https://www.wireshark.org/security/wnpa-sec-2026-45.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W5C6-C6WV-54H7

Vulnerability from github – Published: 2023-09-20 15:30 – Updated: 2024-02-16 21:31
VLAI
Details

The code that processes control channel messages sent to named calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing named to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3341"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1325",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-20T13:15:11Z",
    "severity": "HIGH"
  },
  "details": "The code that processes control channel messages sent to `named` calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key; only network access to the control channel\u0027s configured TCP port is necessary.\nThis issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1.",
  "id": "GHSA-w5c6-c6wv-54h7",
  "modified": "2024-02-16T21:31:31Z",
  "published": "2023-09-20T15:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3341"
    },
    {
      "type": "WEB",
      "url": "https://kb.isc.org/docs/cve-2023-3341"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPJLLTJCSDJJII7IIZPLTBQNWP7MZH7F"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U35OARLQCPMVCBBPHWBXY5M6XJLD2TZ5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSK5V4W4OHPM3JTJGWAQD6CZW7SFD75B"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231013-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5504"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/09/20/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WM6P-93J5-RX57

Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2026-04-02 21:31
VLAI
Details

The issue was addressed with improved memory handling. This issue is fixed in iOS 17.5 and iPadOS 17.5, tvOS 17.5, watchOS 10.5, macOS Sonoma 14.5. An app may be able to execute arbitrary code with kernel privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1325",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:13:04Z",
    "severity": "HIGH"
  },
  "details": "The issue was addressed with improved memory handling. This issue is fixed in iOS 17.5 and iPadOS 17.5, tvOS 17.5, watchOS 10.5, macOS Sonoma 14.5. An app may be able to execute arbitrary code with kernel privileges.",
  "id": "GHSA-wm6p-93j5-rx57",
  "modified": "2026-04-02T21:31:40Z",
  "published": "2024-05-14T15:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27804"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120901"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120902"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120903"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120905"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120915"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214101"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214102"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214104"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214106"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214101"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214102"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214104"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214106"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214123"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/23"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/May/10"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/May/12"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/May/16"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/May/17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XGHW-5MM2-R3Q7

Vulnerability from github – Published: 2023-04-18 00:32 – Updated: 2024-04-04 03:31
VLAI
Details

An Improperly Controlled Sequential Memory Allocation vulnerability in the Juniper Networks Deep Packet Inspection-Decoder (JDPI-Decoder) Application Signature component of Junos OS's AppID service on SRX Series devices will stop the JDPI-Decoder from identifying dynamic application traffic, allowing an unauthenticated network-based attacker to send traffic to the target device using the JDPI-Decoder, designed to inspect dynamic application traffic and take action upon this traffic, to instead begin to not take action and to pass the traffic through. An example session can be seen by running the following command and evaluating the output. user@device# run show security flow session source-prefix extensive Session ID: , Status: Normal, State: Active Policy name: Dynamic application: junos:UNKNOWN, <<<<< LOOK HERE Please note, the JDPI-Decoder and the AppID SigPack are both affected and both must be upgraded along with the operating system to address the matter. By default, none of this is auto-enabled for automatic updates. This issue affects: Juniper Networks any version of the JDPI-Decoder Engine prior to version 5.7.0-47 with the JDPI-Decoder enabled using any version of the AppID SigPack prior to version 1.550.2-31 (SigPack 3533) on Junos OS on SRX Series: All versions prior to 19.1R3-S10; 19.2 versions prior to 19.2R3-S7; 19.3 versions prior to 19.3R3-S8; 19.4 versions prior to 19.4R3-S11; 20.1 version 20.1R1 and later versions prior to 20.2R3-S7; 20.3 version 20.3R1 and later versions prior to 20.4R3-S6; 21.1 versions prior to 21.1R3-S5; 21.2 versions prior to 21.2R3-S4; 21.3 versions prior to 21.3R3-S3; 21.4 versions prior to 21.4R3-S3; 22.1 versions prior to 22.1R3-S1; 22.2 versions prior to 22.2R2-S1, 22.2R3; 22.3 versions prior to 22.3R1-S2, 22.3R2;

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28968"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1325",
      "CWE-770"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-17T22:15:08Z",
    "severity": "MODERATE"
  },
  "details": "An Improperly Controlled Sequential Memory Allocation vulnerability in the Juniper Networks Deep Packet Inspection-Decoder (JDPI-Decoder) Application Signature component of Junos OS\u0027s AppID service on SRX Series devices will stop the JDPI-Decoder from identifying dynamic application traffic, allowing an unauthenticated network-based attacker to send traffic to the target device using the JDPI-Decoder, designed to inspect dynamic application traffic and take action upon this traffic, to instead begin to not take action and to pass the traffic through. An example session can be seen by running the following command and evaluating the output. user@device# run show security flow session source-prefix \u003caddress/mask\u003e extensive Session ID: \u003csession ID\u003e, Status: Normal, State: Active Policy name: \u003cname of policy\u003e Dynamic application: junos:UNKNOWN, \u003c\u003c\u003c\u003c\u003c LOOK HERE Please note, the JDPI-Decoder and the AppID SigPack are both affected and both must be upgraded along with the operating system to address the matter. By default, none of this is auto-enabled for automatic updates. This issue affects: Juniper Networks any version of the JDPI-Decoder Engine prior to version 5.7.0-47 with the JDPI-Decoder enabled using any version of the AppID SigPack prior to version 1.550.2-31 (SigPack 3533) on Junos OS on SRX Series: All versions prior to 19.1R3-S10; 19.2 versions prior to 19.2R3-S7; 19.3 versions prior to 19.3R3-S8; 19.4 versions prior to 19.4R3-S11; 20.1 version 20.1R1 and later versions prior to 20.2R3-S7; 20.3 version 20.3R1 and later versions prior to 20.4R3-S6; 21.1 versions prior to 21.1R3-S5; 21.2 versions prior to 21.2R3-S4; 21.3 versions prior to 21.3R3-S3; 21.4 versions prior to 21.4R3-S3; 22.1 versions prior to 22.1R3-S1; 22.2 versions prior to 22.2R2-S1, 22.2R3; 22.3 versions prior to 22.3R1-S2, 22.3R2;",
  "id": "GHSA-xghw-5mm2-r3q7",
  "modified": "2024-04-04T03:31:28Z",
  "published": "2023-04-18T00:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28968"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA70592"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/s/article/SRX-How-to-update-IDP-signature-database-automatically-on-a-SRX"
    },
    {
      "type": "WEB",
      "url": "https://www.juniper.net/documentation/us/en/software/jdpi/release-notes/jdpi-decoder-release-notes-october-2022/jdpi-decoder-release-notes-october-2022.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Ensure multiple allocations of the same kind of object are properly tracked - possibly across multiple sessions, requests, or messages. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.

Mitigation
Operation

Run the program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.

CAPEC-130: Excessive Allocation

An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.