CWE-772
AllowedMissing Release of Resource after Effective Lifetime
Abstraction: Base · Status: Draft
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
567 vulnerabilities reference this CWE, most recent first.
CVE-2026-54786 (GCVE-0-2026-54786)
Vulnerability from cvelistv5 – Published: 2026-07-01 20:12 – Updated: 2026-07-02 12:44| URL | Tags |
|---|---|
| https://github.com/bytecodealliance/wasmtime/secu… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| bytecodealliance | wasmtime |
Affected:
< 24.0.10
Affected: >= 25.0.0, < 36.0.11 Affected: >= 37.0.0, < 44.0.3 Affected: >= 45.0.0, < 45.0.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54786",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-02T12:44:47.360688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-02T12:44:55.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wasmtime",
"vendor": "bytecodealliance",
"versions": [
{
"status": "affected",
"version": "\u003c 24.0.10"
},
{
"status": "affected",
"version": "\u003e= 25.0.0, \u003c 36.0.11"
},
{
"status": "affected",
"version": "\u003e= 37.0.0, \u003c 44.0.3"
},
{
"status": "affected",
"version": "\u003e= 45.0.0, \u003c 45.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wasmtime is a runtime for WebAssembly. All versions prior to 24.0.10; versions 25.0.0 through those before 36.0.11; versions 37.0.0 through those before 44.0.3; and versions 45.0.0 and 45.0.1 contain a native implementation of WASIp1 which suffers from a leak in the fd_renumber function where the file descriptor being renumbered to is not properly closed. Wasmtime\u0027s implementation erroneously only updated the table of descriptors for WASIp1 and didn\u0027t update the underlying table of descriptors used by the host. This behavior means that while fd_renumber works correctly from a guest\u0027s perspective it ends up leaking resources in the host that aren\u0027t cleaned up until the corresponding Store is destroyed. In a loop, guests can use fd_renumber to cause hosts to exhaust both resources and file descriptors. This bug only affects the native implementation of WASIp1, meaning that only runtimes which load core wasm modules and expose fd_renumber are affected. Runtimes are additionally only affected if they expose the ability to acquire a file descriptor, such as opening a file. For runtimes that deny access to files they are unaffected. This issue has been fixed in versions 24.0.10, 36.0.11, 44.0.3, and 45.0.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T20:12:35.560Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-3p27-qvp9-27qf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-3p27-qvp9-27qf"
}
],
"source": {
"advisory": "GHSA-3p27-qvp9-27qf",
"discovery": "UNKNOWN"
},
"title": "Wasmtime: Leak in WASIp1 `fd_renumber` implementation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54786",
"datePublished": "2026-07-01T20:12:35.560Z",
"dateReserved": "2026-06-15T23:23:57.714Z",
"dateUpdated": "2026-07-02T12:44:55.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45536 (GCVE-0-2026-45536)
Vulnerability from cvelistv5 – Published: 2026-06-12 14:12 – Updated: 2026-06-12 15:05| URL | Tags |
|---|---|
| https://github.com/netty/netty/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/netty/netty/releases/tag/netty… | x_refsource_MISC |
| https://github.com/netty/netty/releases/tag/netty… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45536",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-12T15:05:26.043862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T15:05:36.411Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0.Final, \u003c 4.2.15.Final"
},
{
"status": "affected",
"version": "\u003c 4.1.135.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) \u2014 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check `cmsg-\u003ecmsg_len == CMSG_LEN(sizeof(int))` (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking \u2192 EAGAIN \u2192 Java maps to 0 \u2192 read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default). Versions 4.1.135.Final and 4.2.15.Final patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T14:12:48.126Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-w573-9ffj-6ff9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-w573-9ffj-6ff9"
},
{
"name": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/releases/tag/netty-4.1.135.Final"
},
{
"name": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/releases/tag/netty-4.2.15.Final"
}
],
"source": {
"advisory": "GHSA-w573-9ffj-6ff9",
"discovery": "UNKNOWN"
},
"title": "Netty: Unix-socket fd receive leaks descriptors when peer sends two at once"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45536",
"datePublished": "2026-06-12T14:12:48.126Z",
"dateReserved": "2026-05-12T17:48:47.878Z",
"dateUpdated": "2026-06-12T15:05:36.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45287 (GCVE-0-2026-45287)
Vulnerability from cvelistv5 – Published: 2026-06-04 14:45 – Updated: 2026-06-08 18:27| URL | Tags |
|---|---|
| https://github.com/open-telemetry/opentelemetry-g… | x_refsource_CONFIRM |
| https://github.com/open-telemetry/opentelemetry-g… | x_refsource_MISC |
| https://github.com/open-telemetry/opentelemetry-g… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| open-telemetry | go.opentelemetry.io/otel/schema/v1.1 |
Affected:
< 0.0.17
|
|
| open-telemetry | go.opentelemetry.io/otel/schema/v1.0 |
Affected:
< 0.0.17
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45287",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T18:27:31.389905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T18:27:46.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "go.opentelemetry.io/otel/schema/v1.1",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003c 0.0.17"
}
]
},
{
"product": "go.opentelemetry.io/otel/schema/v1.0",
"vendor": "open-telemetry",
"versions": [
{
"status": "affected",
"version": "\u003c 0.0.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-775",
"description": "CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T14:45:54.522Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go/commit/e72a235518cb773137efd80336a179028bc34684",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-go/commit/e72a235518cb773137efd80336a179028bc34684"
},
{
"name": "https://github.com/open-telemetry/opentelemetry-go/commit/f12d198f161b61735d65705248715aa97021ba8d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-telemetry/opentelemetry-go/commit/f12d198f161b61735d65705248715aa97021ba8d"
}
],
"source": {
"advisory": "GHSA-995v-fvrw-c78m",
"discovery": "UNKNOWN"
},
"title": "OpenTelemetry-Go\u0027s Schema ParseFile leaks file descriptors on each parse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45287",
"datePublished": "2026-06-04T14:45:54.522Z",
"dateReserved": "2026-05-11T20:14:43.200Z",
"dateUpdated": "2026-06-08T18:27:46.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42577 (GCVE-0-2026-42577)
Vulnerability from cvelistv5 – Published: 2026-05-13 18:00 – Updated: 2026-05-14 15:39- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://github.com/netty/netty/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/netty/netty/pull/16689 | x_refsource_MISC |
| https://github.com/netty/netty/commit/0ec3d97fab3… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42577",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:38:58.623257Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:39:44.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netty",
"vendor": "netty",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0.Final, \u003c 4.2.13.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty\u0027s epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread. This vulnerability is fixed in 4.2.13.Final."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:00:28.744Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/netty/netty/security/advisories/GHSA-rwm7-x88c-3g2p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/netty/netty/security/advisories/GHSA-rwm7-x88c-3g2p"
},
{
"name": "https://github.com/netty/netty/pull/16689",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/pull/16689"
},
{
"name": "https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/netty/netty/commit/0ec3d97fab376e243d328ac95fbd288ba0f6e22d"
}
],
"source": {
"advisory": "GHSA-rwm7-x88c-3g2p",
"discovery": "UNKNOWN"
},
"title": "Netty: epoll transport denial of service via RST on half-closed TCP connection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42577",
"datePublished": "2026-05-13T18:00:28.744Z",
"dateReserved": "2026-04-28T17:26:12.085Z",
"dateUpdated": "2026-05-14T15:39:44.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39455 (GCVE-0-2026-39455)
Vulnerability from cvelistv5 – Published: 2026-05-13 14:12 – Updated: 2026-05-13 16:09- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://my.f5.com/manage/s/article/K000160874 | vendor-advisorypatch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39455",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T16:02:47.984687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T16:09:59.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"All Modules"
],
"product": "BIG-IP",
"vendor": "F5",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "21.1.0",
"versionType": "custom"
},
{
"lessThan": "21.0.0.2",
"status": "affected",
"version": "21.0.0",
"versionType": "custom"
},
{
"lessThan": "17.5.1.6",
"status": "affected",
"version": "17.5.0",
"versionType": "custom"
},
{
"lessThan": "17.1.3.2",
"status": "affected",
"version": "17.1.0",
"versionType": "custom"
},
{
"lessThan": "*",
"status": "affected",
"version": "16.1.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F5"
}
],
"datePublic": "2026-05-13T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic can cause the \u003c/span\u003e\u003cstrong\u003ehttpd\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;process to exhaust the available file descriptors.\u0026nbsp;\u0026nbsp;\u003c/span\u003eNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"value": "When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic can cause the httpd\u00a0process to exhaust the available file descriptors.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:12:39.762Z",
"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"shortName": "f5"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://my.f5.com/manage/s/article/K000160874"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "BIG-IP Configuration utility vulnerability",
"x_generator": {
"engine": "F5 SIRTBot v1.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab",
"assignerShortName": "f5",
"cveId": "CVE-2026-39455",
"datePublished": "2026-05-13T14:12:39.762Z",
"dateReserved": "2026-04-30T23:04:20.012Z",
"dateUpdated": "2026-05-13T16:09:59.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35227 (GCVE-0-2026-35227)
Vulnerability from cvelistv5 – Published: 2026-05-12 07:14 – Updated: 2026-05-13 14:38- CWE-772 - Missing Release of Resource after Effective Lifetime
| Vendor | Product | Version | |
|---|---|---|---|
| CODESYS | CODESYS Modbus |
Affected:
1.0.0.0 , < 4.6.0.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35227",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T14:29:08.743627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:38:41.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CODESYS Modbus",
"vendor": "CODESYS",
"versions": [
{
"lessThan": "4.6.0.0",
"status": "affected",
"version": "1.0.0.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:codesys:codesys_modbus:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.6.0.0",
"versionStartIncluding": "1.0.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "ABB Schweiz AG"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is successfully exploited, preventing legitimate clients from establishing new connections.\u003cbr\u003e"
}
],
"value": "An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is successfully exploited, preventing legitimate clients from establishing new connections."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T07:14:41.517Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://certvde.com/de/advisories/VDE-2026-042"
}
],
"source": {
"advisory": "VDE-2026-042",
"defect": [
"CERT@VDE#642013"
],
"discovery": "UNKNOWN"
},
"title": "Improper resource management in CODESYS Modbus TCP Server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2026-35227",
"datePublished": "2026-05-12T07:14:41.517Z",
"dateReserved": "2026-04-01T19:54:21.499Z",
"dateUpdated": "2026-05-13T14:38:41.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21874 (GCVE-0-2026-21874)
Vulnerability from cvelistv5 – Published: 2026-01-08 09:50 – Updated: 2026-01-08 14:43- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://github.com/zauberzeug/nicegui/security/ad… | x_refsource_CONFIRM |
| https://github.com/zauberzeug/nicegui/commit/6c52… | x_refsource_MISC |
| https://github.com/zauberzeug/nicegui/releases/ta… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| zauberzeug | nicegui |
Affected:
>= 2.10.0, < 3.5.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21874",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T14:43:46.386940Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T14:43:50.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nicegui",
"vendor": "zauberzeug",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 3.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T09:50:47.247Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2"
},
{
"name": "https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zauberzeug/nicegui/commit/6c52eb2c90c4b67387c025b29646b4bc1578eb83"
},
{
"name": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.5.0"
}
],
"source": {
"advisory": "GHSA-mp55-g7pj-rvm2",
"discovery": "UNKNOWN"
},
"title": "NiceGUI has Redis connection leak via tab storage causes service degradation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21874",
"datePublished": "2026-01-08T09:50:47.247Z",
"dateReserved": "2026-01-05T16:44:16.369Z",
"dateUpdated": "2026-01-08T14:43:50.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20082 (GCVE-0-2026-20082)
Vulnerability from cvelistv5 – Published: 2026-03-04 17:22 – Updated: 2026-03-04 20:52- CWE-772 - Missing Release of Resource after Effective Lifetime
| Vendor | Product | Version | |
|---|---|---|---|
| Cisco | Cisco Secure Firewall Adaptive Security Appliance (ASA) Software |
Affected:
9.20.4.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T20:52:44.973008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T20:52:52.679Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco Secure Firewall Adaptive Security Appliance (ASA) Software",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "9.20.4.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the handling of the embryonic connection limits in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause incoming TCP SYN packets to be dropped incorrectly.\r\n\r This vulnerability is due to improper handling of new, incoming TCP connections that are destined to management or data interfaces when the device is under a TCP SYN flood attack. An attacker could exploit this vulnerability by sending a crafted stream of traffic to an affected device. A successful exploit could allow the attacker to prevent all incoming TCP connections to the device from being established, including remote management access, Remote Access VPN (RAVPN) connections, and all network protocols that are TCP-based. This results in a denial of service (DoS) condition for affected features."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "cvssV3_1"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T17:22:34.106Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "cisco-sa-asa-dos-FCvLD6vR",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-dos-FCvLD6vR"
}
],
"source": {
"advisory": "cisco-sa-asa-dos-FCvLD6vR",
"defects": [
"CSCwr58661"
],
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20082",
"datePublished": "2026-03-04T17:22:34.106Z",
"dateReserved": "2025-10-08T11:59:15.364Z",
"dateUpdated": "2026-03-04T20:52:52.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15713 (GCVE-0-2026-15713)
Vulnerability from cvelistv5 – Published: 2026-07-14 19:45 – Updated: 2026-07-14 19:50- CWE-772 - Missing Release of Resource after Effective Lifetime
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-15713 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2499941 | issue-trackingx_refsource_REDHAT |
| https://gitlab.gnome.org/GNOME/libsoup/-/work_items/541 |
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 |
cpe:/o:redhat:enterprise_linux:10 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
|
| Red Hat | Red Hat Enterprise Linux 7 |
cpe:/o:redhat:enterprise_linux:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
cpe:/o:redhat:enterprise_linux:8 |
|
| Red Hat | Red Hat Enterprise Linux 9 |
cpe:/o:redhat:enterprise_linux:9 |
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "affected",
"packageName": "libsoup3",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "unknown",
"packageName": "libsoup",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
],
"defaultStatus": "unknown",
"packageName": "libsoup",
"product": "Red Hat Enterprise Linux 7",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:8"
],
"defaultStatus": "affected",
"packageName": "libsoup",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "affected",
"packageName": "libsoup",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank cavid for reporting this issue."
}
],
"datePublic": "2026-07-14T10:20:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in libsoup\u0027s HTTP/2 protocol implementation. The library fails to correctly release memory context blocks under specific stream termination conditions, such as when an HTTP/2 connection encounters window exhaustion or explicit stream resets. A remote, unauthenticated attacker acting as a malicious network peer can trick the connection engine into allocating stream states that are subsequently leaked during cleanup. Over a sustained period, this flaw allows the remote attacker to consume the system\u0027s heap allocations incrementally, triggering a denial of service (DoS) through an ultimate Out-of-Memory (OOM) application crash."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T19:50:58.590Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-15713"
},
{
"name": "RHBZ#2499941",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2499941"
},
{
"url": "https://gitlab.gnome.org/GNOME/libsoup/-/work_items/541"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-14T10:15:42.740Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-07-14T10:20:00.000Z",
"value": "Made public."
}
],
"title": "Libsoup: soupcache: libsoup: http/2 frame window exhaustion remote denial of service via memory leak",
"workarounds": [
{
"lang": "en",
"value": "Users should avoid connecting to untrusted HTTP/2 servers. Implementing network egress filtering to restrict outbound connections to only trusted destinations can reduce exposure to this vulnerability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-772: Missing Release of Resource after Effective Lifetime"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-15713",
"datePublished": "2026-07-14T19:45:56.489Z",
"dateReserved": "2026-07-14T10:14:16.964Z",
"dateUpdated": "2026-07-14T19:50:58.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13351 (GCVE-0-2026-13351)
Vulnerability from cvelistv5 – Published: 2026-06-25 16:27 – Updated: 2026-06-25 18:00- CWE-772 - Missing Release of Resource after Effective Lifetime
| Vendor | Product | Version | |
|---|---|---|---|
| zephyrproject-rtos | Zephyr |
Affected:
* , ≤ 4.3
(git)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13351",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T18:00:39.412711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T18:00:46.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Zephyr",
"product": "Zephyr",
"repo": "https://github.com/zephyrproject-rtos/zephyr",
"vendor": "zephyrproject-rtos",
"versions": [
{
"lessThanOrEqual": "4.3",
"status": "affected",
"version": "*",
"versionType": "git"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "net: Maliciously fragmented IPv6 packets can prevent receiving/processing future incoming packets"
}
],
"value": "Zephyr\u0027s IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T16:27:17.917Z",
"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad",
"shortName": "zephyr"
},
"references": [
{
"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-cv4q-2j56-4wqf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "net: Maliciously fragmented IPv6 packets can prevent receiving/processing future incoming packets",
"x_generator": {
"engine": "swg-tools/create-cve-info"
}
}
},
"cveMetadata": {
"assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad",
"assignerShortName": "zephyr",
"cveId": "CVE-2026-13351",
"datePublished": "2026-06-25T16:27:17.917Z",
"dateReserved": "2026-06-25T16:13:43.055Z",
"dateUpdated": "2026-06-25T18:00:46.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, languages such as Java, Ruby, and Lisp perform automatic garbage collection that releases memory for objects that have been deallocated.
Mitigation
It is good practice to be responsible for freeing all resources you allocate and to be consistent with how and where you free resources in a function. If you allocate resources that you intend to free upon completion of the function, you must be sure to free the resources at all exit points for that function including error conditions.
Mitigation MIT-47
Strategy: Resource Limitation
- Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.
- When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.
- Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).
CAPEC-469: HTTP DoS
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.