{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/bird-lg-go/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["bird-lg-go"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","json","CVE-2026-45047","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBird-lg-go is susceptible to a denial-of-service vulnerability due to unbounded JSON decoding in the \u003ccode\u003eapiHandler\u003c/code\u003e function. Specifically, the application uses \u003ccode\u003ejson.NewDecoder(r.Body).Decode(\u0026amp;request)\u003c/code\u003e without implementing a maximum read size limit. This allows an unauthenticated remote attacker to send an arbitrarily large JSON payload to the application. The Go JSON decoder attempts to allocate memory for the entire parsed structure, and an attacker can exploit this by sending gigabytes of padded data, rapidly exhausting the available memory. This triggers a \u003ccode\u003efatal error: runtime: out of memory\u003c/code\u003e condition, causing the Linux OOM Killer to terminate the \u003ccode\u003ebird-lg-go\u003c/code\u003e daemon, effectively creating a remote denial of service (RDoS). This affects bird-lg-go versions prior to commit 0ff87024cb9e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker establishes a TCP connection to the bird-lg-go server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to an endpoint handled by the \u003ccode\u003eapiHandler\u003c/code\u003e or \u003ccode\u003ewebHandlerTelegramBot\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe HTTP request body contains a malicious JSON payload.\u003c/li\u003e\n\u003cli\u003eThe attacker streams an extremely large, potentially endless, JSON payload without any size restrictions.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ejson.NewDecoder(r.Body).Decode(\u0026amp;request)\u003c/code\u003e function attempts to decode the JSON.\u003c/li\u003e\n\u003cli\u003eThe Go JSON decoder allocates memory to store the decoded JSON structure.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s oversized payload exhausts the available memory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebird-lg-go\u003c/code\u003e process encounters a \u003ccode\u003efatal error: runtime: out of memory\u003c/code\u003e condition and terminates due to the Linux OOM Killer.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability can cause a complete denial of service by crashing the \u003ccode\u003ebird-lg-go\u003c/code\u003e daemon. A single attacker can disrupt the service by exhausting the server\u0026rsquo;s memory resources. The impact is significant as it affects the availability of the application. While the exact number of victims is not specified, any deployment of a vulnerable version of \u003ccode\u003ebird-lg-go\u003c/code\u003e is susceptible to this attack. Successful exploitation leads to service interruption until the daemon is manually restarted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of \u003ccode\u003ebird-lg-go\u003c/code\u003e containing the fix for CVE-2026-45047 to mitigate the unbounded JSON decoding vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement resource limits, such as \u003ccode\u003ehttp.MaxBytesReader\u003c/code\u003e, to restrict the size of incoming HTTP request bodies to prevent excessive memory allocation, mitigating CVE-2026-45047.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Bird-lg-go Excessive JSON Payload\u0026rdquo; to identify potentially malicious requests based on the size of the request body.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T16:19:59Z","date_published":"2026-05-11T16:19:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-bird-lg-go-oom/","summary":"Bird-lg-go is vulnerable to a denial-of-service (DoS) attack (CVE-2026-45047) where an unauthenticated remote attacker can cause an out-of-memory error by streaming an extremely large JSON payload to the apiHandler, leading to termination of the bird-lg-go daemon.","title":"Bird-lg-go Unbounded JSON Decode Denial of Service (CVE-2026-45047)","url":"https://feed.craftedsignal.io/briefs/2026-05-bird-lg-go-oom/"}],"language":"en","title":"CraftedSignal Threat Feed — Bird-Lg-Go","version":"https://jsonfeed.org/version/1.1"}