https://vulnerability.circl.lu/sightings/feed 2026-06-25T06:41:53.910213+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/b8f7ac11-58ba-44ba-a573-8e7cb7afcd6b/export 2026-06-25T06:41:53.927017+00:00 Automation user https://cve.circl.lu/user/automation {"uuid": "b8f7ac11-58ba-44ba-a573-8e7cb7afcd6b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39197", "type": "seen", "source": "https://gist.github.com/pyuysig/221e90dd598ab3f3c3100ae59db8e8d4", "content": "# Vulnerability Report: CVE-2026-39197 - Vector - HTTP and gRPC ingest body buffering can cause memory exhaustion\n\n## Vulnerability Summary\nVector 0.54.0 contains missing inbound size controls in several HTTP and gRPC ingest paths. A remote attacker can submit an oversized request body or highly compressed payload that is fully buffered or decompressed before an effective size limit is enforced, leading to memory exhaustion and denial of service.\n\n## Affected Product\n- **Vendor**: Vector Contributors\n- **Product**: Vector\n- **Version**: 0.54.0\n- **Vulnerable Component**: src/sources/util/http/prelude.rs, src/sources/util/http/encoding.rs, src/sources/opentelemetry/http.rs, src/sources/splunk_hec/mod.rs, src/sources/util/grpc/decompression.rs, src/sources/vector/mod.rs, src/sources/opentelemetry/config.rs\n\n## Vulnerability Details\n- **Vulnerability Type**: Resource Management Error / Algorithmic Complexity\n- **Weakness**: CWE-400, CWE-770\n- **Attack Conditions**: Remote. The attacker must be able to reach an enabled Vector HTTP or gRPC ingest endpoint; compressed-payload variants depend on the relevant content encoding or gRPC compression path being enabled.\n\n## Report Body\n\n### Summary\nVector 0.54.0 contains missing inbound size controls in several HTTP and gRPC ingest paths. A remote attacker can submit an oversized request body or highly compressed payload that is fully buffered or decompressed before an effective size limit is enforced, leading to memory exhaustion and denial of service.\n\n### Details\nThe affected paths buffer HTTP request bodies or inflate compressed data into memory before enforcing a practical application-level size ceiling. The gRPC decompression layer disables tonic decode-size protection and only performs size checks after decompression.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-39197.\n3. Confirm the security result: Sending an oversized HTTP body, a highly compressed HTTP payload, or a large compressed gRPC message causes attacker-controlled memory growth before rejection, producing a repeatable denial-of-service condition.\n\n### Impact\nRemote denial of service through process memory exhaustion, crash, or restart loops on enabled ingest endpoints.\n\n## Remediation\nApply maximum body and decompressed-output limits before allocation and decompression. Preserve framework decode limits unless an equivalent pre-decompression limit is installed.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:32.000000Z"} 2026-06-13T12:45:32+00:00