Denial-of-Service

Argo Workflows is vulnerable to a denial-of-service (DoS) attack due to unbounded memory allocation in the Webhook Interceptor component.

The Contact Form 7 WordPress plugin through version 2.6.7 is vulnerable to uncontrolled resource consumption, allowing unauthenticated attackers to exhaust server memory and crash the PHP process by supplying an arbitrarily large integer value to the REST API endpoint, leading to unbounded loop execution.

A heap buffer overflow vulnerability in BusyBox's DHCPv6 client allows network-adjacent attackers to trigger memory corruption, denial of service, or arbitrary code execution via crafted DHCPv6 responses.

A remote, anonymous attacker can exploit multiple vulnerabilities in mutt to bypass security measures and cause a denial-of-service condition.

A local attacker can exploit a vulnerability in libexif to potentially execute arbitrary code, cause a denial of service, or disclose sensitive information.

A remote, authenticated attacker can exploit a vulnerability in MariaDB to perform a denial of service attack and potentially execute arbitrary program code.

Multiple vulnerabilities in Rapid7 Velociraptor could allow an attacker to disclose information or cause a denial of service.

Prosody versions before 0.12.6, versions 1.0.0 through 13.0.0, and before version 13.0.5 are vulnerable to a denial of service due to memory leaks from unauthenticated connections, leading to memory exhaustion.

CVE-2026-0967 is a denial-of-service vulnerability in libssh, stemming from inefficient regular expression processing that could lead to defense evasion and impact availability on affected systems.

A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read, potentially causing information disclosure or denial of service.

A vulnerability in ABB's IEC 61850 communication stack allows a remote attacker with access to the IEC 61850 network to cause a denial-of-service condition by sending a specially crafted packet, leading to device faults or communication driver crashes.

Multiple vulnerabilities in Absolute Secure Access could allow an attacker to escalate privileges, conduct a denial-of-service attack, and disclose sensitive information.

Multiple vulnerabilities in SonicWall SonicOS allow a remote attacker to escalate privileges, bypass security measures, or cause a denial-of-service condition.

A remote, anonymous attacker can exploit multiple vulnerabilities in Fast Datapath for Red Hat Enterprise Linux to perform a denial-of-service attack or disclose sensitive information.

A remote, unauthenticated attacker can exploit an unpatched vulnerability in libsndfile to cause a denial of service.

Multiple vulnerabilities in CUPS allow an attacker to bypass security measures, execute arbitrary code, escalate privileges, manipulate data, or cause a denial-of-service condition.

Multiple vulnerabilities in Google Chrome could allow an attacker to execute arbitrary code, bypass security mechanisms, disclose and manipulate data, and cause a denial-of-service condition.

Multiple vulnerabilities exist in Xen and Citrix Systems XenServer that could allow an attacker to escalate privileges, bypass security measures, modify and disclose data, or cause a denial-of-service condition.

Multiple vulnerabilities in DNSdist can be exploited by an attacker to perform a denial of service attack, impacting the availability of DNS services.

CVE-2026-32283 is a vulnerability in crypto/tls that allows unauthenticated TLS 1.3 KeyUpdate records, leading to persistent connection retention and a denial-of-service condition.

CVE-2026-28388 is a NULL Pointer Dereference vulnerability in an unspecified Microsoft product when processing a Delta CRL, potentially leading to a denial-of-service condition.

Multiple vulnerabilities in the Red Hat Linux kernel allow for arbitrary code execution, privilege escalation, and remote denial of service.

Multiple vulnerabilities in Exim versions prior to 4.99.2 allow an attacker to cause a remote denial of service, a breach of data confidentiality, and an unspecified security problem.

A remote, anonymous attacker can exploit multiple vulnerabilities in GNU libc to execute arbitrary program code, cause a denial-of-service condition, or disclose sensitive information.

Multiple vulnerabilities in Red Hat Enterprise Linux's LibRaw component allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

CoreDNS' DNS-over-QUIC (DoQ) server can be driven into large goroutine and memory growth by a remote client that opens many QUIC streams and stalls after sending only 1 byte, leading to denial of service in versions before 1.14.3.

OpenClaw before 2026.3.28 is vulnerable to a denial-of-service attack by accepting unbounded concurrent unauthenticated WebSocket upgrades, allowing attackers to exhaust server resources.

CVE-2026-23398 is a vulnerability related to a NULL pointer dereference in the ICMP protocol, potentially leading to a denial-of-service condition in affected Microsoft products.

A malformed `workflows.argoproj.io/pod-gc-strategy` annotation in an Argo Workflow pod can trigger an unchecked array index in the `podGCFromPod()` function, leading to a controller-wide panic and denial-of-service.

CVE-2026-31507 is a double-free vulnerability in the net/smc module that occurs when the tee() function duplicates a splice pipe buffer, potentially leading to memory corruption and denial of service.

CVE-2026-34282 is a remotely exploitable vulnerability in the Networking component of Oracle Java SE and GraalVM that allows an unauthenticated attacker to cause a complete denial of service.

NestJS versions before 11.1.19 are susceptible to an uncontrolled recursion vulnerability (CVE-2026-40879) where sending many small JSON messages in a single TCP frame triggers a call stack overflow, resulting in a denial-of-service condition.

A local attacker can exploit a vulnerability in util-linux to perform a denial of service attack and disclose sensitive information.

Remote, anonymous attackers can exploit vulnerabilities in Red Hat Hardened Images RPMs to bypass security measures, cause denial of service, disclose sensitive information, or potentially execute code.

Multiple vulnerabilities in Microsoft Visual Studio, .NET Framework, .NET, PowerShell, and Visual Studio Code can be exploited by an attacker to disclose sensitive information, conduct spoofing attacks, cause a denial of service, or bypass security measures, potentially leading to arbitrary code execution.

Multiple vulnerabilities in libarchive can be exploited by a remote attacker to disclose information or cause a denial-of-service condition.

An unauthenticated attacker can trigger a denial-of-service condition on vulnerable Firebird servers by sending a specially crafted op_crypt_key_callback packet, leading to a null pointer dereference and server crash.

Firebird versions before 5.0.4, 4.0.7, and 3.0.14 are vulnerable to a buffer overflow in the xdr_datum() function during slice packet deserialization, enabling unauthenticated attackers to cause a crash or potentially achieve arbitrary code execution by sending a malicious packet.

A remote attacker can exploit an out-of-bounds write vulnerability (CVE-2026-6507) in dnsmasq by sending a specially crafted BOOTREPLY packet to a server configured with the `--dhcp-split-relay` option, leading to a denial of service.

HashiCorp Vault is vulnerable to a denial-of-service (DoS) condition, identified as CVE-2026-5807, where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, preventing legitimate operators from completing these workflows.

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service, addressed in Vault versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

A vulnerability in the go-markdown library exists where processing a malformed input containing a '<' character that is not followed by a '>' character with a SmartypantsRenderer can lead to an out-of-bounds read or a panic, causing a denial of service.

An unauthenticated, remote attacker can exploit an out-of-bounds read vulnerability (CVE-2026-33096) in Windows HTTP.sys to cause a denial-of-service condition.

CVE-2026-32071 is a null pointer dereference vulnerability in the Windows Local Security Authority Subsystem Service (LSASS), allowing an unauthorized network attacker to cause a denial-of-service condition.

CVE-2026-26171 is a vulnerability in .NET that allows an unauthorized attacker to perform a denial-of-service attack over a network due to uncontrolled resource consumption.

A remote, anonymous attacker can exploit a vulnerability in libTIFF to potentially execute arbitrary code or cause a denial-of-service condition.

A denial-of-service vulnerability exists in jq versions prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 due to the use of a hardcoded seed in MurmurHash3, enabling attackers to craft JSON objects that trigger hash collisions and cause excessive CPU consumption.

A denial-of-service vulnerability exists in NestJS's @nestjs/microservices package, affecting versions 11.1.18 and earlier, where an attacker can send multiple small, valid JSON messages within a single TCP frame, causing a stack overflow.

A vulnerability exists in @sveltejs/adapter-node where requests could bypass the `BODY_SIZE_LIMIT` on SvelteKit applications, potentially leading to denial of service.

CVE-2026-33797 is an improper input validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved that allows an unauthenticated adjacent attacker to reset established BGP sessions via a specific BGP packet, leading to a denial of service condition.

A remote, unauthenticated attacker can exploit CVE-2026-1584 in gnutls by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake, leading to a NULL pointer dereference and a denial-of-service condition.

A denial of service vulnerability, CVE-2026-23869, exists in React Server Components due to excessive CPU usage triggered by specially crafted HTTP requests to Server Function endpoints, potentially leading to service disruption.

A remote, unauthenticated attacker can cause resource exhaustion in Saleor e-commerce platforms via maliciously crafted GraphQL API requests, leading to denial of service.

Podman Desktop versions prior to 1.26.2 expose an unauthenticated HTTP server, allowing remote attackers to trigger denial-of-service conditions by exhausting resources and extract sensitive information through verbose error responses.

NVIDIA Triton Inference Server is vulnerable to denial of service due to insufficient input validation that, when combined with a large number of outputs, can cause a server crash.

A remote attacker can exploit multiple vulnerabilities in Apache Traffic Server to conduct a denial of service or request smuggling attack.

A remote, anonymous attacker can exploit a vulnerability in OpenSSH GSSAPI and Ubuntu Linux to trigger undefined behavior or a potential denial-of-service attack.

A heap-buffer-overflow read vulnerability exists in openFPGALoader 1.1.1 and earlier, allowing out-of-bounds heap memory access via a crafted .pof file, potentially leading to denial of service or information disclosure.

A denial-of-service vulnerability, CVE-2025-57834, exists in Samsung Exynos processors and modems due to improper input validation, potentially leading to device malfunction or service disruption.

An unauthenticated attacker can exploit an uncontrolled resource consumption vulnerability in Mesop versions 1.2.3 to 1.2.4 by sending a rapid succession of WebSocket messages, leading to thread exhaustion and a denial-of-service condition.

A vulnerable libp2p-rendezvous server can be crashed via a denial-of-service attack where an unauthenticated peer registers unlimited namespaces, leading to memory exhaustion.

A remote, unauthenticated attacker can cause a denial of service by sending crafted input to vulnerable versions of the Amazon Athena ODBC driver, triggering excessive resource consumption during parsing operations.

Suricata versions 8.0.0 to before 8.0.4 exhibit a quadratic complexity vulnerability (CVE-2026-31934) when searching for URLs in MIME-encoded SMTP messages, leading to significant performance degradation and potential denial-of-service conditions; this is fixed in version 8.0.4.

A vulnerability in the multipart parsing logic of gleam-wisp allows an unauthenticated attacker to bypass request size limits and cause a denial of service by exhausting server memory or disk.

Hirschmann EagleSDV devices are vulnerable to denial-of-service (DoS) attacks where a device crash can be triggered by establishing TLS 1.0 or TLS 1.1 connections, leading to service disruption.

A heap overflow vulnerability in the HiLCOS web interface of Hirschmann Industrial IT products (CVE-2024-14033) allows unauthenticated remote attackers to cause a denial-of-service condition by sending specially crafted requests, leading to device crashes and service disruption, particularly when the Public Spot functionality is enabled.

Suricata versions 8.0.0 to before 8.0.4 are vulnerable to a NULL dereference crash when using the 'tls.alpn' rule keyword, potentially leading to a denial of service.

An unauthenticated attacker can exploit CVE-2026-31932, a vulnerability in Suricata versions prior to 7.0.15 and 8.0.4, to cause performance degradation due to inefficient KRB5 buffering.

An unauthenticated attacker can cause a denial-of-service on Keycloak servers by sending a crafted POST request to the OIDC token endpoint with an excessively long scope parameter, leading to high resource consumption.

CVE-2026-35092 is an integer overflow vulnerability in Corosync's join message sanity validation, allowing a remote, unauthenticated attacker to send crafted UDP packets, resulting in a denial of service condition.

A remote, anonymous attacker can exploit a vulnerability in gdk-pixbuf to cause a denial of service and potentially execute arbitrary code.

A remote, anonymous attacker can exploit multiple vulnerabilities in libpng to execute arbitrary program code or cause a denial of service.

A remote, anonymous attacker can exploit a vulnerability in various HTTP/2 implementations to perform a denial-of-service attack.

A local attacker can exploit a vulnerability in libxslt on Red Hat Enterprise Linux to cause a denial of service or execute arbitrary program code.

A remote, authenticated attacker can exploit multiple vulnerabilities in Django to perform SQL injections, disclose confidential information, or cause a denial-of-service condition.

CVE-2026-24148 is a vulnerability in NVIDIA Jetson for JetPack's system initialization logic, where an unprivileged attacker can cause the initialization of a resource with an insecure default, potentially leading to information disclosure, data tampering, and denial of service.

A vulnerability in the iconv() function of the GNU C Library (versions 2.43 and earlier) can cause a crash due to an assertion failure when handling IBM1390 or IBM1399 character sets, potentially leading to remote application denial-of-service.

A remote, unauthenticated attacker can crash applications using libp2p-gossipsub versions prior to 0.49.4 by sending a crafted PRUNE control message with a near-maximum backoff value, causing an arithmetic overflow during heartbeat processing.

Multiple vulnerabilities in Fleet allow an attacker to perform SQL injection, denial of service, bypass security measures, disclose information, and execute arbitrary program code with administrator privileges.

Multiple vulnerabilities in Internet Systems Consortium BIND can be exploited by a remote attacker to conduct a denial of service attack or bypass security measures.

Multiple vulnerabilities in NGINX Plus and NGINX can be exploited by an attacker to perform a denial of service attack, manipulate data, bypass security measures, and potentially execute arbitrary program code, leading to significant impact.

An integer overflow vulnerability in Tinyproxy's HTTP chunked transfer encoding parser (versions <= 1.11.3) allows an unauthenticated remote attacker to cause a denial of service by sending a crafted chunk size that bypasses validation, leading to resource exhaustion.

A vulnerability in the antchfx/xpath package allows for denial of service via CPU exhaustion by exploiting boolean expressions that evaluate to true, leading to an infinite loop.

A vulnerability in MinIO allows authenticated users with `s3:PutObject` permission to inject internal server-side encryption metadata into objects via crafted replication headers, leading to permanent data unreadability.

EVerest, an EV charging software stack, has an out-of-bounds access vulnerability in versions prior to 2026.02.0, which can lead to remote crash or memory corruption when the CSMS sends UpdateAllowedEnergyTransferModes over the network.

CVE-2026-4926 describes a denial-of-service vulnerability due to an inefficient regular expression complexity issue when handling multiple sequential optional groups, leading to exponential growth and resource exhaustion.

CVE-2025-59032 describes a vulnerability in ManageSieve's AUTHENTICATE command, where using a literal as a SASL initial response can crash the ManageSieve service, leading to a denial-of-service condition.

The c2cciutils package is vulnerable to denial of service due to an uncontrolled recursion vulnerability (CWE-674) in the pyasn dependency, specifically versions before 1.1.65.

A denial of service vulnerability exists in Netty's HTTP/2 server implementation where an unauthenticated user can exhaust server CPU resources by sending a flood of CONTINUATION frames with zero-byte payloads, bypassing size-based mitigations and leading to service unavailability with minimal bandwidth usage; affected versions include netty-codec-http2 < 4.1.132.Final and netty-codec-http2 versions >= 4.2.0.Alpha1 and < 4.2.10.Final.

An unauthenticated attacker can exploit an out-of-bounds write vulnerability in CPCI85 Central Processing/Communication and SICORE Base System by sending a malicious XML request, potentially causing a service crash leading to a denial-of-service condition.

A vulnerability in NATS server allows a remote, unauthenticated attacker to cause a denial of service by sending a crafted WebSocket frame, leading to a server crash due to missing validation on WebSocket frame length.

CVE-2026-3988 is a denial of service vulnerability in GitLab CE/EE allowing unauthenticated users to crash instances by sending malformed GraphQL requests, affecting versions 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1.

Picomatch is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns with quantifiers, leading to excessive CPU consumption and denial of service.

The `replace_first` filter in LiquidJS is vulnerable to exponential memory amplification due to its use of JavaScript's `String.prototype.replace()` and mishandling of the `$&` backreference pattern, allowing attackers to bypass the `memoryLimit` and cause denial of service.

The Salvo web framework before version 0.89.3 is vulnerable to denial of service due to unbounded memory allocation when parsing form data, enabling attackers to crash services by sending large payloads.

Multiple vulnerabilities exist in GnuPG and Gpg4win that could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

An anonymous remote attacker can exploit a vulnerability in Apache CXF to perform a denial of service attack and disclose sensitive information.

Multiple vulnerabilities in Redis allow an attacker to execute arbitrary program code and perform a denial-of-service attack.

Multiple vulnerabilities in Red Hat Developer Hub allow a remote attacker to perform denial of service, execute arbitrary code, bypass security measures, and manipulate data.

An anonymous remote attacker can exploit multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform to cause a denial-of-service condition, manipulate data, and conduct further attacks such as cache poisoning and session hijacking.

Multiple vulnerabilities in the Grub bootloader allow attackers to execute arbitrary code and cause denial-of-service conditions.

Multiple vulnerabilities in Apache Tomcat can be exploited by a remote, authenticated or anonymous attacker to execute arbitrary code, bypass security measures, manipulate data, and cause a denial of service.

A remote, authenticated attacker can exploit a vulnerability in Red Hat Enterprise Linux (specifically 389-ds-base) to achieve arbitrary code execution and potentially cause a denial of service.

Multiple vulnerabilities in vim allow a local attacker to execute arbitrary code, cause a denial-of-service condition, or manipulate data.

Multiple vulnerabilities in CODESYS allow a remote attacker to execute arbitrary program code and conduct a denial-of-service attack.

Multiple vulnerabilities in GStreamer allow a remote, anonymous attacker to cause a denial-of-service condition, memory corruption, and potentially execute arbitrary code.

A remote attacker can exploit CVE-2026-30653 in Free5GC v4.2.0 and earlier by sending crafted requests to the AMF component's HandleAuthenticationFailure function, leading to a denial-of-service condition.

NGINX Plus and NGINX Open Source are vulnerable to a denial-of-service condition (CVE-2026-27651) when the ngx_mail_auth_http_module is enabled, CRAM-MD5 or APOP authentication is used, and the authentication server permits retry via the Auth-Wait response header, leading to worker process termination.

CVE-2026-4704 is a denial-of-service vulnerability in the WebRTC Signaling component affecting Firefox, Firefox ESR, and Thunderbird, potentially disrupting service availability.

An incorrect boundary condition in the Audio/Video Web Codecs component in Mozilla Firefox and Thunderbird (CVE-2026-4695) could lead to a denial-of-service (DoS) condition due to a vulnerability that affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

CVE-2026-4697 is a denial-of-service vulnerability due to incorrect boundary conditions in the Audio/Video Web Codecs component of Mozilla Firefox and Thunderbird, potentially leading to application crashes.

CVE-2026-4693 is a vulnerability due to incorrect boundary conditions in the Audio/Video: Playback component of Mozilla Firefox and Thunderbird, potentially leading to a denial-of-service condition.

An improper boundary condition vulnerability in the Canvas2D component of Mozilla Firefox, Firefox ESR, and Thunderbird (CVE-2026-4685) could allow for a denial-of-service condition.

An integer underflow vulnerability in strongSwan's EAP-TTLS AVP parser allows unauthenticated remote attackers to cause a denial of service by sending crafted AVP data with invalid length fields during IKEv2 authentication, leading to excessive memory allocation or a NULL pointer dereference.

A NULL pointer dereference vulnerability in the daap_reply_playlists function of owntone-server allows attackers to cause a Denial of Service (DoS) by sending a crafted DAAP request.

Multiple vulnerabilities in libpng allow a remote, anonymous attacker to perform denial of service attacks and execute arbitrary code.

A remote, anonymous attacker can exploit multiple vulnerabilities in FreeRDP to cause a denial of service or potentially execute arbitrary program code.

A remote, anonymous attacker can exploit a vulnerability in Apache Commons FileUpload to perform a denial of service attack.

A missing release of memory vulnerability (CVE-2026-33852) in MolotovCherry Android-ImageMagick7 before version 7.1.2-11 can lead to a denial-of-service condition due to memory exhaustion.

Team82 disclosed vulnerabilities in Schneider Electric Modicon Controllers M241, M251, and M262 PLC lines, which can allow an attacker to cause a denial-of-service condition and affect controller availability.

cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors, allowing attackers to trigger out-of-bounds reads via crafted glTF/GLB files, leading to denial of service and potential memory disclosure.

A guest VM issuing a Xenstore command with the node path '/local/domain/' can crash xenstored (CVE-2026-23555), or, if NDEBUG is defined, cause denial of service by consuming all CPU resources.

Jsrsasign versions before 11.1.1 are vulnerable to an infinite loop via the bnModInverse function when processing zero or negative inputs, potentially leading to a denial of service.

Multiple critical vulnerabilities in Quest KACE Systems Management Appliance (SMA), including authentication bypass and 2FA bypass, allow unauthenticated attackers to achieve system takeover and cause denial of service; active exploitation is reported.

A memory exhaustion vulnerability (CVE-2026-33155) exists in a widely used Python library, affecting services like SageMaker, DataHub, and acryl-datahub due to an incomplete patch for CVE-2025-58367, requiring pinning to version 8.6.2.

Multiple vulnerabilities in Yokogawa CENTUM VP R6 and R7 Vnet/IP Interface Package can be exploited by sending maliciously crafted packets, leading to denial-of-service or arbitrary code execution.

Multiple vulnerabilities in EV2GO charging stations, including missing authentication and session management flaws, could allow attackers to impersonate stations, hijack sessions, and cause denial-of-service conditions.

Unauthenticated attackers can exploit multiple vulnerabilities in Chargemap's charging stations, including missing authentication, improper authentication attempt restrictions, insufficient session expiration, and unprotected credentials, potentially leading to unauthorized control and denial-of-service.

go-zserio versions prior to 0.9.1 are vulnerable to unbounded memory allocation when deserializing data, potentially leading to denial of service.

A denial-of-service vulnerability exists in the russh crate, where a malicious client can crash any russh-based server implementing keyboard-interactive authentication by sending a crafted SSH_MSG_USERAUTH_INFO_RESPONSE message with a large response count, leading to excessive memory allocation and an out-of-memory crash without requiring any credentials.

Multiple vulnerabilities in GStreamer allow a remote, anonymous attacker to cause a denial-of-service condition or execute arbitrary code.

A crafted payload can force memory allocations of up to 16 GB, leading to a denial-of-service condition in applications using the Zserio serialization framework, including those within the automotive Navigation Data Standard (NDS).

An unchecked type assertion in Kyverno versions v1.13.0 to v1.17.1 allows a user with permission to create a Policy or ClusterPolicy to crash the cluster-wide background controller into a persistent CrashLoopBackOff, leading to a denial of service, by crafting a malicious policy that triggers a nil pointer dereference in the forEach mutation handler.

Versions of i18next-http-middleware before 3.9.3 are vulnerable to prototype pollution, path traversal, and server-side request forgery (SSRF) due to improper validation of user-controlled language and namespace parameters, potentially leading to denial of service or remote code execution.

An unauthenticated peer can crash a Nimiq node by sending a malformed election macro block containing an invalid BLS voting key, leading to a denial of service.

PhpSpreadsheet is vulnerable to a denial-of-service attack by crafting a SpreadsheetML XML file with an excessively large row index, which exhausts server CPU resources due to unbounded iteration.

A denial-of-service vulnerability exists in rustls-webpki versions prior to 0.103.13 and between 0.104.0-alpha.1 and 0.104.0-alpha.7 due to a panic in `bit_string_flags()` when processing a malformed CRL BIT STRING, triggered when CRL checking is enabled and an attacker provides a crafted CRL.

A vulnerability in PhpSpreadsheet exists where a crafted XLSX file containing a large row number can cause excessive CPU consumption due to unbounded loop iterations, leading to a denial of service.

A vulnerability in liquidjs versions prior to 10.25.7 allows for denial of service due to a circular block reference in the layout, causing an infinite recursive loop that exhausts memory and crashes the Node.js process.

i18next-http-middleware versions before 3.9.3 are vulnerable to HTTP response splitting and denial-of-service attacks due to unsanitized Content-Language headers, potentially leading to session fixation, cache poisoning, reflected XSS, or complete service disruption depending on the Node.js version.

A remote Denial of Service (DoS) vulnerability exists in GoBGP version 4.2.0 and earlier, where a malformed BGP UPDATE message can trigger a runtime error (index out of range panic), crashing the GoBGP process. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon, leading to a complete loss of routing capabilities.

A denial of service vulnerability exists in marked version 18.0.0 due to infinite recursion when processing a specific 3-byte sequence (tab, vertical tab, and newline), leading to unbounded memory allocation and application crash.

CVE-2026-28390 is a vulnerability related to a possible NULL pointer dereference when processing CMS KeyTransportRecipientInfo, potentially leading to a denial-of-service condition.

n8n is vulnerable to an unauthenticated denial of service (DoS) attack due to missing resource controls in the MCP OAuth client registration endpoint, allowing an attacker to exhaust server memory by sending large registration payloads, leading to service unavailability; this is resolved in versions 1.123.32, 2.17.4, and 2.18.1 and tracked as CVE-2026-42236.