{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/rpcx--1.9.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-59803"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["rpcx \u003c= 1.9.3"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","rpcx","go-lang"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical denial-of-service (DoS) vulnerability, tracked as CVE-2026-59803, exists in the popular rpcx Go RPC framework, affecting all versions up to 1.9.3. This vulnerability stems from improper handling of compressed messages within the \u003ccode\u003eprotocol.Message.Decode\u003c/code\u003e function in \u003ccode\u003eprotocol/message.go\u003c/code\u003e. An unauthenticated attacker can exploit this by sending a specially crafted, small (under 2 MB) gzip-compressed message. The \u003ccode\u003eutil.Unzip\u003c/code\u003e function, used for decompression, lacks size limits on its output, allowing the small input to expand into gigabytes of memory allocation. The existing \u003ccode\u003eprotocol.MaxMessageLength\u003c/code\u003e guard is ineffective as it only checks the compressed frame length, not the expanded decompressed size. This \u0026quot;decompression bomb\u0026quot; leads to out-of-memory conditions, causing the rpcx service to crash and become unavailable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker establishes a connection to a vulnerable rpcx service.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious rpcx message with the compression flag set.\u003c/li\u003e\n\u003cli\u003eThe payload of this message consists of a small (under 2 MB) gzip-compressed data stream engineered to expand exponentially upon decompression.\u003c/li\u003e\n\u003cli\u003eThe attacker sends this crafted message over the established connection to the rpcx service.\u003c/li\u003e\n\u003cli\u003eThe rpcx service's \u003ccode\u003ereadRequest\u003c/code\u003e function receives the message prior to any authentication checks.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eprotocol.Message.Decode\u003c/code\u003e function is invoked to process the message, which subsequently calls \u003ccode\u003eutil.Unzip\u003c/code\u003e to decompress the payload.\u003c/li\u003e\n\u003cli\u003eDuring the decompression process, the maliciously crafted payload expands to consume gigabytes of the service's memory.\u003c/li\u003e\n\u003cli\u003eThe service encounters an out-of-memory (OOM) condition, leading to its crash and resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-59803 is the complete denial of service for affected rpcx applications. Exploitation is unauthenticated, meaning any external attacker can crash vulnerable services, rendering them unavailable to legitimate users. This can lead to significant operational disruption, data unavailability, and potential financial losses for organizations relying on rpcx for their services. While no specific victim count or targeted sectors are available, any organization deploying rpcx services through version 1.9.3 is at risk of this easily triggered DoS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-59803 immediately by upgrading rpcx to a patched version (1.9.4 or later) or applying commit 047aec1.\u003c/li\u003e\n\u003cli\u003eMonitor your rpcx application hosts for sudden spikes in memory usage or unexpected service restarts, which could indicate attempted exploitation of CVE-2026-59803.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T20:18:47Z","date_published":"2026-07-08T20:18:47Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rpcx-dos/","summary":"A denial-of-service vulnerability (CVE-2026-59803) in rpcx through version 1.9.3 allows an unauthenticated attacker to trigger out-of-memory conditions and service unavailability by sending a small, compressed message that expands to gigabytes of memory during decompression.","title":"CVE-2026-59803: rpcx Denial-of-Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-rpcx-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Rpcx \u003c= 1.9.3","version":"https://jsonfeed.org/version/1.1"}