CWE-407
Inefficient Algorithmic Complexity
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
CVE-2026-42245 (GCVE-0-2026-42245)
Vulnerability from cvelistv5 – Published: 2026-05-09 19:37 – Updated: 2026-05-12 18:30
VLAI
Title
net-imap: Quadratic complexity when reading response literals
Summary
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/ruby/net-imap/security/advisor… | x_refsource_CONFIRM |
| https://github.com/ruby/net-imap/commit/6091f7d6b… | x_refsource_MISC |
| https://github.com/ruby/net-imap/commit/88d95231f… | x_refsource_MISC |
| https://github.com/ruby/net-imap/commit/de685f91a… | x_refsource_MISC |
| https://github.com/ruby/net-imap/releases/tag/v0.4.24 | x_refsource_MISC |
| https://github.com/ruby/net-imap/releases/tag/v0.5.14 | x_refsource_MISC |
| https://github.com/ruby/net-imap/releases/tag/v0.6.4 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42245",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T17:53:55.917796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T18:30:58.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "net-imap",
"vendor": "ruby",
"versions": [
{
"status": "affected",
"version": "\u003c 0.4.24"
},
{
"status": "affected",
"version": "\u003e= 0.5.0, \u003c 0.5.14"
},
{
"status": "affected",
"version": "\u003e= 0.6.0, \u003c 0.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client\u0027s CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T19:37:08.905Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw"
},
{
"name": "https://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96"
},
{
"name": "https://github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfda",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfda"
},
{
"name": "https://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819"
},
{
"name": "https://github.com/ruby/net-imap/releases/tag/v0.4.24",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24"
},
{
"name": "https://github.com/ruby/net-imap/releases/tag/v0.5.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14"
},
{
"name": "https://github.com/ruby/net-imap/releases/tag/v0.6.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4"
}
],
"source": {
"advisory": "GHSA-q2mw-fvj9-vvcw",
"discovery": "UNKNOWN"
},
"title": "net-imap: Quadratic complexity when reading response literals"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42245",
"datePublished": "2026-05-09T19:37:08.905Z",
"dateReserved": "2026-04-25T05:37:12.118Z",
"dateUpdated": "2026-05-12T18:30:58.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42304 (GCVE-0-2026-42304)
Vulnerability from cvelistv5 – Published: 2026-05-13 20:20 – Updated: 2026-05-14 15:45
VLAI
Title
Twisted: Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains
Summary
Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/twisted/twisted/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42304",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T15:44:57.486318Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T15:45:34.746Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/twisted/twisted/security/advisories/GHSA-grgv-6hw6-v9g4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "twisted",
"vendor": "twisted",
"versions": [
{
"status": "affected",
"version": "\u003c 26.4.0rc2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previous loop-prevention logic, causing the single-threaded Twisted reactor to hang while processing millions of recursive lookups, effectively freezing the server. This vulnerability is fixed in 26.4.0rc2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T20:20:29.149Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/twisted/twisted/security/advisories/GHSA-grgv-6hw6-v9g4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/twisted/twisted/security/advisories/GHSA-grgv-6hw6-v9g4"
}
],
"source": {
"advisory": "GHSA-grgv-6hw6-v9g4",
"discovery": "UNKNOWN"
},
"title": "Twisted: Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42304",
"datePublished": "2026-05-13T20:20:29.149Z",
"dateReserved": "2026-04-26T12:13:55.552Z",
"dateUpdated": "2026-05-14T15:45:34.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42923 (GCVE-0-2026-42923)
Vulnerability from cvelistv5 – Published: 2026-05-20 09:20 – Updated: 2026-05-20 12:10
VLAI
Title
Degradation of service with unbounded NSEC3 hash calculations
Summary
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the attack. An adversary that controls a DNSSEC signed zone can exploit this by signing NSEC3 records with acceptably high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the allowed hash calculations on the NSEC3 records and will not limit the work by the mitigation introduced in 1.19.1. As a side effect, a global lock for the negative cache will be held for the duration of the hashing, blocking other threads that need to consult the negative cache. Coordinated attacks could raise the vulnerability to denial of service. Unbound 1.25.1 contains a patch with a fix to bound the vulnerable code path with the existing limit for NSEC3 hash calculations.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.nlnetlabs.nl/downloads/unbound/CVE-20… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | Unbound |
Affected:
0 , < 1.25.1
(semver)
|
Date Public
2026-05-20 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42923",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T12:10:04.210764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T12:10:10.747Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Unbound",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "1.25.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qifan Zhang (Palo Alto Networks)"
}
],
"datePublic": "2026-05-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the attack. An adversary that controls a DNSSEC signed zone can exploit this by signing NSEC3 records with acceptably high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the allowed hash calculations on the NSEC3 records and will not limit the work by the mitigation introduced in 1.19.1. As a side effect, a global lock for the negative cache will be held for the duration of the hashing, blocking other threads that need to consult the negative cache. Coordinated attacks could raise the vulnerability to denial of service. Unbound 1.25.1 contains a patch with a fix to bound the vulnerable code path with the existing limit for NSEC3 hash calculations."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/U:Amber",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T09:20:01.104Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42923.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed starting with version 1.25.1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-28T00:00:00.000Z",
"value": "Issue reported by Qifan Zhang"
},
{
"lang": "en",
"time": "2026-05-07T00:00:00.000Z",
"value": "NLnet Labs shares patch"
},
{
"lang": "en",
"time": "2026-05-08T00:00:00.000Z",
"value": "Qifan Zhang verifies patch"
},
{
"lang": "en",
"time": "2026-05-20T00:00:00.000Z",
"value": "Fixes released with version 1.25.1"
}
],
"title": "Degradation of service with unbounded NSEC3 hash calculations",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2026-42923",
"datePublished": "2026-05-20T09:20:01.104Z",
"dateReserved": "2026-05-07T10:07:51.800Z",
"dateUpdated": "2026-05-20T12:10:10.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43967 (GCVE-0-2026-43967)
Vulnerability from cvelistv5 – Published: 2026-05-08 15:42 – Updated: 2026-05-09 04:18
VLAI
Title
Quadratic fragment-name uniqueness check causes denial of service in absinthe
Summary
Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.
'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) — a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller.
Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.
This issue affects absinthe: from 1.2.0 before 1.10.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/absinthe-graphql/absinthe/secu… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-43967.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-43967 | related |
| https://github.com/absinthe-graphql/absinthe/comm… | patch |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| absinthe-graphql | absinthe |
Affected:
1.2.0 , < 1.10.2
(semver)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
|
| absinthe-graphql | absinthe |
Affected:
0b46e3bcc06c0d3797bacd64761b908a84646c1d , < 223600c520493dcaf95080af552c413099f92c9d
(git)
cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T16:07:01.053904Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T16:07:10.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
],
"packageName": "absinthe",
"packageURL": "pkg:hex/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/phase/document/validation/unique_fragment_names.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
},
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "1.10.2",
"status": "affected",
"version": "1.2.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027"
],
"packageName": "absinthe-graphql/absinthe",
"packageURL": "pkg:github/absinthe-graphql/absinthe",
"product": "absinthe",
"programFiles": [
"lib/absinthe/phase/document/validation/unique_fragment_names.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2"
},
{
"name": "\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:duplicate?/2"
}
],
"repo": "https://github.com/absinthe-graphql/absinthe",
"vendor": "absinthe-graphql",
"versions": [
{
"lessThan": "223600c520493dcaf95080af552c413099f92c9d",
"status": "affected",
"version": "0b46e3bcc06c0d3797bacd64761b908a84646c1d",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:absinthe-graphql:absinthe:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.10.2",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Curtis Schiewek"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\u003cp\u003e\u003ctt\u003e\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2\u003c/tt\u003e iterates over all fragments and for each one calls \u003ctt\u003eduplicate?/2\u003c/tt\u003e, which evaluates \u003ctt\u003eEnum.count(fragments, \u0026amp;(\u0026amp;1.name == name))\u003c/tt\u003e \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\u003c/p\u003e\u003cp\u003eBecause \u003ctt\u003einput.fragments\u003c/tt\u003e is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\u003c/p\u003e\u003cp\u003eThis issue affects absinthe: from 1.2.0 before 1.10.2.\u003c/p\u003e"
}
],
"value": "Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation.\n\n\u0027Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames\u0027:run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, \u0026(\u00261.name == name)) \u2014 a full linear scan of the fragment list. The result is O(N\u00b2) comparisons per document, where N is the number of fragment definitions supplied by the caller.\n\nBecause input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 \u00d7 10\u2079 comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required.\n\nThis issue affects absinthe: from 1.2.0 before 1.10.2."
}
],
"impacts": [
{
"capecId": "CAPEC-229",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-229 Serialized Data Parameter Blowup"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407 Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T04:18:14.810Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-43967.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-43967"
},
{
"tags": [
"patch"
],
"url": "https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Quadratic fragment-name uniqueness check causes denial of service in absinthe",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-43967",
"datePublished": "2026-05-08T15:42:34.347Z",
"dateReserved": "2026-05-04T18:23:25.573Z",
"dateUpdated": "2026-05-09T04:18:14.810Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44378 (GCVE-0-2026-44378)
Vulnerability from cvelistv5 – Published: 2026-05-27 16:34 – Updated: 2026-05-27 19:21
VLAI
Title
Botan: Quadratic complexity decoding BER indefinite length encodings
Summary
Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which prohibits indefinite length encodings. This vulnerability is fixed in 3.12.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/randombit/botan/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T19:20:50.323732Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T19:21:23.552Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "botan",
"vendor": "randombit",
"versions": [
{
"status": "affected",
"version": "\u003c 3.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which prohibits indefinite length encodings. This vulnerability is fixed in 3.12.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T16:34:33.635Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/randombit/botan/security/advisories/GHSA-7q2v-3g27-6g3j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/randombit/botan/security/advisories/GHSA-7q2v-3g27-6g3j"
}
],
"source": {
"advisory": "GHSA-7q2v-3g27-6g3j",
"discovery": "UNKNOWN"
},
"title": "Botan: Quadratic complexity decoding BER indefinite length encodings"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44378",
"datePublished": "2026-05-27T16:34:33.635Z",
"dateReserved": "2026-05-05T20:15:20.631Z",
"dateUpdated": "2026-05-27T19:21:23.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44390 (GCVE-0-2026-44390)
Vulnerability from cvelistv5 – Published: 2026-05-20 09:21 – Updated: 2026-05-20 12:56
VLAI
Title
Unbounded name compression in certain cases causes degradation of service
Summary
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. A compression limit was introduced in 1.21.1 for this but it didn't account for the case where records would not share any suffix above the root. That causes Unbound to go in a different code path because of the compression tree lookup failure and eventually not increment the compression counter for those operations. Unbound 1.25.1 contains a patch with a fix that increments the compression counter regardless of the compression tree lookup. This is a complement fix to CVE-2024-8508.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.nlnetlabs.nl/downloads/unbound/CVE-20… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | Unbound |
Affected:
0 , < 1.25.1
(semver)
|
Date Public
2026-05-20 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44390",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T12:55:48.767374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T12:56:32.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Unbound",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "1.25.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qifan Zhang (Palo Alto Networks)"
}
],
"datePublic": "2026-05-20T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don\u0027t share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. A compression limit was introduced in 1.21.1 for this but it didn\u0027t account for the case where records would not share any suffix above the root. That causes Unbound to go in a different code path because of the compression tree lookup failure and eventually not increment the compression counter for those operations. Unbound 1.25.1 contains a patch with a fix that increments the compression counter regardless of the compression tree lookup. This is a complement fix to CVE-2024-8508."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/U:Amber",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T09:21:24.590Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44390.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed starting with version 1.25.1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-26T00:00:00.000Z",
"value": "Issue reported by Qifan Zhang"
},
{
"lang": "en",
"time": "2026-04-28T00:00:00.000Z",
"value": "NLnet Labs shares patch"
},
{
"lang": "en",
"time": "2026-04-29T00:00:00.000Z",
"value": "Qifan Zhang verifies patch"
},
{
"lang": "en",
"time": "2026-05-20T00:00:00.000Z",
"value": "Fixes released with version 1.25.1"
}
],
"title": "Unbounded name compression in certain cases causes degradation of service",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2026-44390",
"datePublished": "2026-05-20T09:21:24.590Z",
"dateReserved": "2026-05-07T10:07:51.828Z",
"dateUpdated": "2026-05-20T12:56:32.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45186 (GCVE-0-2026-45186)
Vulnerability from cvelistv5 – Published: 2026-05-10 06:36 – Updated: 2026-05-11 22:23
VLAI
Summary
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| libexpat project | libexpat |
Affected:
0 , < 2.8.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45186",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:01:28.359121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:02:22.001Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-11T22:23:27.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/11/16"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "libexpat",
"vendor": "libexpat project",
"versions": [
{
"lessThan": "2.8.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.8.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 2.9,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407 Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T06:42:10.021Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/libexpat/libexpat/pull/1216"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-45186",
"datePublished": "2026-05-10T06:36:16.927Z",
"dateReserved": "2026-05-10T06:36:15.697Z",
"dateUpdated": "2026-05-11T22:23:27.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45664 (GCVE-0-2026-45664)
Vulnerability from cvelistv5 – Published: 2026-06-10 21:30 – Updated: 2026-06-10 21:30
VLAI
Title
ImageMagick: Policy Bypass in MNG coder could
Summary
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use. This issue has been patched in versions 6.9.13-47 and 7.1.2-22.
Severity
5.3 (Medium)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ImageMagick/ImageMagick/securi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ImageMagick | ImageMagick |
Affected:
< 6.9.13-47
Affected: < 7.1.2-22 |
{
"containers": {
"cna": {
"affected": [
{
"product": "ImageMagick",
"vendor": "ImageMagick",
"versions": [
{
"status": "affected",
"version": "\u003c 6.9.13-47"
},
{
"status": "affected",
"version": "\u003c 7.1.2-22"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use. This issue has been patched in versions 6.9.13-47 and 7.1.2-22."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T21:30:51.855Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g5mf-wqq5-vwg6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g5mf-wqq5-vwg6"
}
],
"source": {
"advisory": "GHSA-g5mf-wqq5-vwg6",
"discovery": "UNKNOWN"
},
"title": "ImageMagick: Policy Bypass in MNG coder could"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45664",
"datePublished": "2026-06-10T21:30:51.855Z",
"dateReserved": "2026-05-12T21:59:25.665Z",
"dateUpdated": "2026-06-10T21:30:51.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48959 (GCVE-0-2026-48959)
Vulnerability from cvelistv5 – Published: 2026-05-27 02:29 – Updated: 2026-05-29 15:50
VLAI
Title
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward
Summary
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward.
fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration.
Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| PMQS | IO::Uncompress::Unzip |
Affected:
0 , < 2.220
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-27T07:24:56.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/27/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-48959",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T15:50:09.916092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T15:50:39.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "IO-Compress",
"product": "IO::Uncompress::Unzip",
"programFiles": [
"lib/IO/Uncompress/Unzip.pm"
],
"programRoutines": [
{
"name": "IO::Uncompress::Unzip::fastForward"
}
],
"repo": "https://github.com/pmqs/IO-Compress",
"vendor": "PMQS",
"versions": [
{
"lessThan": "2.220",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward.\n\nfastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration.\n\nExtracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip-\u003enew($zip, Name =\u003e $target) drives a per-byte read loop scaling with the entry\u0027s compressed size, up to the non-Zip64 4 GiB cap."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407 Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T02:29:07.027Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a86a2ffe53a958eac6cabaf72e2.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/PMQS/IO-Compress-2.220/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to IO-Compress 2.220 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-14T00:00:00.000Z",
"value": "Issue reported."
},
{
"lang": "en",
"time": "2026-05-16T00:00:00.000Z",
"value": "Version 2.220 released."
}
],
"title": "IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-48959",
"datePublished": "2026-05-27T02:29:07.027Z",
"dateReserved": "2026-05-26T18:09:32.365Z",
"dateUpdated": "2026-05-29T15:50:39.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6042 (GCVE-0-2026-6042)
Vulnerability from cvelistv5 – Published: 2026-04-10 09:00 – Updated: 2026-04-10 15:54
VLAI
Title
musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic complexity
Summary
A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/356620 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/356620/cti | signaturepermissions-required |
| https://vuldb.com/submit/796352 | third-party-advisory |
| https://www.openwall.com/lists/oss-security/2026/… | related |
| https://www.openwall.com/lists/oss-security/2026/… | patch |
| http://www.openwall.com/lists/oss-security/2026/0… |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-04-10T09:31:09.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/04/09/19"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6042",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T15:44:05.493056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T15:54:06.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"GB18030 4-byte Decoder"
],
"product": "libc",
"vendor": "musl",
"versions": [
{
"status": "affected",
"version": "1.2.0"
},
{
"status": "affected",
"version": "1.2.1"
},
{
"status": "affected",
"version": "1.2.2"
},
{
"status": "affected",
"version": "1.2.3"
},
{
"status": "affected",
"version": "1.2.4"
},
{
"status": "affected",
"version": "1.2.5"
},
{
"status": "affected",
"version": "1.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0x001 (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "0x001 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T09:00:18.733Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-356620 | musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic complexity",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/356620"
},
{
"name": "VDB-356620 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/356620/cti"
},
{
"name": "Submit #796352 | musl libc musl 0.8.0 - 1.2.6 Inefficient Algorithmic Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/796352"
},
{
"tags": [
"related"
],
"url": "https://www.openwall.com/lists/oss-security/2026/04/02/10"
},
{
"tags": [
"patch"
],
"url": "https://www.openwall.com/lists/oss-security/2026/04/03/2"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-09T19:58:49.000Z",
"value": "VulDB entry last update"
}
],
"title": "musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic complexity"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6042",
"datePublished": "2026-04-10T09:00:18.733Z",
"dateReserved": "2026-04-09T17:34:11.256Z",
"dateUpdated": "2026-04-10T15:54:06.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.