CVE-2026-45047 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-45047/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 11 May 2026 16:19:59 +0000Bird-lg-go Unbounded JSON Decode Denial of Service (CVE-2026-45047)https://feed.craftedsignal.io/briefs/2026-05-bird-lg-go-oom/Mon, 11 May 2026 16:19:59 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-bird-lg-go-oom/Bird-lg-go is vulnerable to a denial-of-service (DoS) attack (CVE-2026-45047) where an unauthenticated remote attacker can cause an out-of-memory error by streaming an extremely large JSON payload to the apiHandler, leading to termination of the bird-lg-go daemon.Bird-lg-go is susceptible to a denial-of-service vulnerability due to unbounded JSON decoding in the apiHandler function. Specifically, the application uses json.NewDecoder(r.Body).Decode(&request) without implementing a maximum read size limit. This allows an unauthenticated remote attacker to send an arbitrarily large JSON payload to the application. The Go JSON decoder attempts to allocate memory for the entire parsed structure, and an attacker can exploit this by sending gigabytes of padded data, rapidly exhausting the available memory. This triggers a fatal error: runtime: out of memory condition, causing the Linux OOM Killer to terminate the bird-lg-go daemon, effectively creating a remote denial of service (RDoS). This affects bird-lg-go versions prior to commit 0ff87024cb9e.

Attack Chain

  1. An unauthenticated attacker establishes a TCP connection to the bird-lg-go server.
  2. The attacker sends an HTTP POST request to an endpoint handled by the apiHandler or webHandlerTelegramBot.
  3. The HTTP request body contains a malicious JSON payload.
  4. The attacker streams an extremely large, potentially endless, JSON payload without any size restrictions.
  5. The json.NewDecoder(r.Body).Decode(&request) function attempts to decode the JSON.
  6. The Go JSON decoder allocates memory to store the decoded JSON structure.
  7. The attacker’s oversized payload exhausts the available memory.
  8. The bird-lg-go process encounters a fatal error: runtime: out of memory condition and terminates due to the Linux OOM Killer.

Impact

The vulnerability can cause a complete denial of service by crashing the bird-lg-go daemon. A single attacker can disrupt the service by exhausting the server’s memory resources. The impact is significant as it affects the availability of the application. While the exact number of victims is not specified, any deployment of a vulnerable version of bird-lg-go is susceptible to this attack. Successful exploitation leads to service interruption until the daemon is manually restarted.

Recommendation

  • Apply the patch or upgrade to a version of bird-lg-go containing the fix for CVE-2026-45047 to mitigate the unbounded JSON decoding vulnerability.
  • Implement resource limits, such as http.MaxBytesReader, to restrict the size of incoming HTTP request bodies to prevent excessive memory allocation, mitigating CVE-2026-45047.
  • Deploy the Sigma rule “Detect Bird-lg-go Excessive JSON Payload” to identify potentially malicious requests based on the size of the request body.
]]>mediumadvisorydenial-of-servicejsonCVE-2026-45047linux