Denial-of-Service

An unauthenticated attacker can trigger a denial-of-service condition in applications using the Faraday Ruby library by sending deeply nested query parameters (CVE-2026-54297), leading to `SystemStackError` and application crashes due to uncontrolled recursion.

The `Oj.dump` function in the `Oj` Ruby gem is vulnerable to a stack-based buffer overflow (CVE-2026-54502) due to improper validation of the `:indent` parameter, allowing an attacker to trigger a process crash or potentially remote code execution by providing an excessively large integer value, affecting all `Oj` gem versions prior to `3.17.2`.

The `undici` WebSocket client is vulnerable to CVE-2026-12151, a high-severity denial of service attack where a malicious WebSocket server can stream numerous small continuation frames that bypass `maxPayloadSize` checks, causing unbounded memory growth and exhaustion in affected client processes.

A vulnerability in the vim text editor allows a remote, unauthenticated attacker to perform a Denial of Service attack by exploiting a weakness to disrupt the service without requiring prior authentication.

Multiple vulnerabilities have been discovered in the expat XML parser library that can be exploited by a local attacker, potentially leading to a Denial of Service condition or allowing for arbitrary code execution on the affected system.

An unauthenticated attacker can exploit a vulnerability in the PHP JWT Library's PBES2AESKW::unwrapKey() function when processing JWE tokens that use PBES2-HS*+A*KW algorithms by crafting a JWE with an excessively large 'p2c' (PBKDF2 iteration count) parameter in the JOSE header, forcing the server to perform an unbounded and CPU-intensive PBKDF2 computation, resulting in a CPU-amplification denial of service.

The spomky-labs/otphp library is vulnerable to a denial of service (GHSA-g7m4-839x-ch6v) where an unbounded 'digits' parameter in an otpauth provisioning URI causes a DivisionByZeroError, leading to unhandled fatal errors in applications trying to generate or verify OTPs.

An unauthenticated attacker can exploit CVE-2026-55204, a null pointer dereference vulnerability in HAProxy through version 3.4.0, by triggering excessive HPACK dynamic table insertions under memory pressure, causing HAProxy worker processes to crash and resulting in a denial of service.

Multiple vulnerabilities, CVE-2026-45491 and CVE-2026-45591, have been discovered in Microsoft .Net and ASP.NET Core versions, allowing a remote attacker to cause a denial of service and compromise data integrity across Windows, Linux, and macOS platforms.

Multiple vulnerabilities, including CVE-2025-10263, CVE-2026-42487, CVE-2026-42488, CVE-2026-42489, and CVE-2026-42490, have been discovered in Xen, allowing an attacker to achieve privilege escalation, trigger a remote denial of service, and compromise data confidentiality on vulnerable hypervisor instances.

Multiple vulnerabilities exist in X.Org X11 and Xwayland, allowing attackers to disclose information, escalate privileges, conduct denial-of-service attacks, and perform unspecified attacks.

Multiple vulnerabilities in NetApp products, including CVE-2023-0482, CVE-2023-20863, CVE-2024-22257, CVE-2025-23367, CVE-2025-48976, CVE-2025-53816, and CVE-2025-53817, could lead to remote denial of service, data confidentiality breaches, and data integrity breaches.

A remote, anonymous attacker can exploit multiple vulnerabilities in ImageMagick to cause a denial of service condition, disclose information, and bypass security mechanisms.

A remote, anonymous attacker can exploit a vulnerability in the PostgreSQL JDBC Driver to perform a denial-of-service attack, impacting availability.

Multiple vulnerabilities in IBM Business Automation Workflow can be exploited by an attacker to bypass security measures, conduct a denial of service attack, disclose information, manipulate files, and conduct a cross-site scripting attack.

Multiple vulnerabilities in IBM App Connect Enterprise could allow an attacker to bypass security measures, manipulate data, disclose sensitive information, cause a denial-of-service condition, or perform other unspecified attacks.

An authorization bypass vulnerability exists in praisonai-platform where any member can remove any other member, including the workspace owner, due to missing role checks and owner protection logic, allowing an attacker to lock the legitimate owner out of their own workspace, leading to a permanent denial-of-service and potential workspace takeover (CVE-2026-47409).

Gotenberg is vulnerable to a remote denial-of-service (DoS) in multipart `downloadFrom` handling, where a crafted multipart request with multiple `downloadFrom` entries causes concurrent goroutines to write to shared maps without synchronization, leading to process termination.

Multiple vulnerabilities in Elastic Kibana allow for privilege escalation, remote denial of service, data breach, server-side request forgery (SSRF), and cross-site scripting (XSS).

Multiple vulnerabilities exist in Check Point Security Gateway that could be exploited by an attacker to perform a denial of service attack, disclose information, and perform a SQL injection attack.

CVE-2026-46185 is an out-of-bounds read vulnerability in the SMB client component within the symlink_data() function, potentially leading to information disclosure or denial of service.

CVE-2026-46172 is a vulnerability related to ipv6: xfrm6: release dst on error in xfrm6_rcv_encap(), potentially leading to a denial-of-service condition.

A denial-of-service vulnerability exists in strongSwan version 5.9.13 due to a flaw in the eap-radius plugin when built with DAE enabled, allowing remote attackers to exhaust worker threads by sending a crafted RADIUS Access-Request (CVE-2026-35333).

Multiple vulnerabilities in GitLab CE/EE allow attackers to cause remote denial of service and bypass security policies in versions 18.11.x before 18.11.4, 19.x before 19.0.1, and before 18.10.7; these vulnerabilities are tracked as CVE-2026-1402, CVE-2026-2601, CVE-2026-2710, CVE-2026-4868, CVE-2026-5296, CVE-2026-6713, and CVE-2026-8716.

A local attacker can exploit multiple vulnerabilities in the Linux Kernel to escalate privileges, cause a denial-of-service condition, disclose sensitive information, or perform an unspecified attack.

A remote, anonymous attacker can exploit a vulnerability in VMware Tanzu Spring Framework to perform a denial of service attack.

Multiple vulnerabilities in Vim could allow an attacker to execute arbitrary code or cause a denial of service condition.

A remote, authenticated attacker can exploit multiple vulnerabilities in IBM DB2 to perform a denial of service attack, potentially disrupting database services.

CVE-2026-46099 describes a vulnerability in the IPv6 network stack related to NOREF dst use in seg6 and rpl lwtunnels, requiring a security update to address potential exploitation.

Multiple vulnerabilities in Check Point Security Gateways and Spark Firewalls allow for remote denial of service, data confidentiality breaches, and data integrity compromise.

IBM Aspera High-Speed Transfer Endpoint and Server versions 3.7.4 through 4.4.7 Fix Pack 1 are vulnerable to a denial-of-service (DoS) attack where an unauthenticated user can crash the asperahttpd service.

IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 are vulnerable to a denial-of-service (DoS) attack via a specially crafted query when autonomous transactions are enabled, potentially leading to service disruption.

IBM Aspera High-Speed Transfer Endpoint and Server are vulnerable to a buffer overflow in the asperahttpd component, potentially leading to denial of service, authentication bypass, or remote code execution.

Multiple vulnerabilities in IBM DB2 allow a remote, authenticated, or local attacker to disclose information, bypass security measures, or cause a denial of service.

Multiple vulnerabilities in CODESYS could allow an attacker to escalate privileges, manipulate data, or cause a denial of service.

IBM HTTP Server 8.5 and 9.0 are vulnerable to a heap-based buffer overflow, allowing a privileged, authenticated user to execute arbitrary code or cause a denial of service.

IBM HTTP Server 8.5 and 9.0 are vulnerable to a denial-of-service (DoS) attack due to a flaw in the optional `mod_mem_cache` module that can be triggered remotely.

A vulnerability, CVE-2025-11482, exists in ABB's PPT30 Operating System related to handling concurrent connections in the PPT30 OPC-UA Server, affecting versions prior to 1.8.0.

NordVPN version 6.14.31 is vulnerable to a denial-of-service attack (CVE-2018-25368) where an unauthenticated attacker can crash the application by submitting an excessively long string in the password field.

A remote, anonymous attacker can exploit multiple vulnerabilities in PuTTY to perform a denial of service attack, manipulate data, and possibly carry out spoofing attacks.

Multiple vulnerabilities in the Intel NPU Driver allow a local attacker to escalate privileges and cause a denial of service.

A remote, anonymous attacker can exploit a vulnerability in NGINX Open Source and NGINX Plus to perform a denial-of-service attack and potentially execute arbitrary code.

A public exploit is available for CVE-2026-38422, a critical remote code execution vulnerability in Arendst Tasmota affecting devices running version <= 15.3.0.3 with scripter support enabled via combined buffer overflows in the `fetch_jpg()` function.

A denial-of-service vulnerability, CVE-2026-47138, exists in Parse Server due to inefficient regular expression handling of the client SDK version field in HTTP requests, allowing an unauthenticated attacker to exhaust server resources by sending a crafted request with a malicious `X-Parse-Client-Version` header or `_ClientVersion` body field.

A remote denial-of-service vulnerability exists in Stormshield Network Security (SNS) versions 4.3.x before 4.3.43, 4.4.x to 4.8.x before 4.8.16, and 5.x before 5.0.6, allowing an attacker to disrupt service availability.

Multiple vulnerabilities in PowerDNS Authoritative Server allow an attacker to disclose information, manipulate data, and cause a denial-of-service condition.

Russh versions up to 0.60.2 are vulnerable to a memory-safety hardening issue due to unchecked `CryptoVec` allocation and growth handling, reachable from local agent inputs and remote SSH traffic, potentially triggering a process abort under constrained memory conditions.

A remote denial-of-service vulnerability (CVE-2026-46545) exists in Nimiq primitives where an unauthenticated peer can send a malicious chunk with an empty key, leading to a panic when `put_raw` attempts to store a value at the root node, causing the node process to abort.

A denial-of-service vulnerability exists in BookStack version 25.12.1, and a public exploit (EDB-52571) is available, increasing the risk to unpatched systems.

A remote, anonymous attacker can exploit multiple vulnerabilities in Internet Systems Consortium BIND to trigger memory corruption or cause a denial-of-service condition.

A vulnerability in ffmpeg allows an attacker to execute arbitrary program code and potentially conduct a denial of service attack.

A remote, authenticated attacker can exploit a vulnerability in vllm and PyTorch to cause a denial-of-service condition or potentially achieve remote code execution.

A remote, authenticated attacker can exploit a vulnerability in vllm to disclose information or cause a denial-of-service condition.

CVE-2026-44390 is a denial-of-service vulnerability in Microsoft products due to unbounded name compression.

Microsoft disclosed CVE-2026-42944, a heap overflow vulnerability related to the processing of multiple NSID, COOKIE, and PADDING EDNS options in an unspecified product.

PgBouncer versions prior to 1.25.2 are vulnerable to an integer overflow (CVE-2026-6664), enabling unauthenticated remote attackers to trigger a denial-of-service via a crafted SCRAM authentication packet, with active exploitation reported.

CVE-2026-45498 is a denial-of-service vulnerability in Microsoft Defender that could disrupt endpoint protection capabilities, requiring timely mitigation per vendor instructions.

Plug versions 1.4.0 to 1.19.1 are vulnerable to denial-of-service (CVE-2026-8468) due to unbounded buffer accumulation in multipart header parsing, allowing an unauthenticated attacker to exhaust server memory by sending a crafted multipart/form-data request.

A vulnerability in Wireshark versions 4.4.x before 4.4.16 and 4.6.x before 4.6.6 allows a remote attacker to cause a denial of service.

BIND servers configured for TKEY-based authentication using GSS-API tokens are susceptible to excessive memory consumption upon receiving and processing crafted packets, impacting availability.

A race condition in ISC BIND can lead to a use-after-free vulnerability (CVE-2026-5947) when handling SIG(0) signed DNS messages, potentially leading to undefined behavior.

Multiple flaws in BIND 9's `named` component, specifically versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1, can be exploited by sending specially crafted DNS requests with non-`IN` CLASS or meta-classes, leading to assertion failures and potential denial-of-service.

A use-after-free vulnerability in the DNS-over-HTTPS implementation of BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1 could allow an attacker to cause a denial of service or potentially execute arbitrary code.

Multiple vulnerabilities in Mozilla Firefox, Firefox ESR, and Thunderbird could allow a remote attacker to execute arbitrary code, disclose information, bypass security restrictions, deceive the user, escalate privileges, or cause a denial-of-service condition.

Multiple vulnerabilities in Nvidia GPU Display Drivers allow a local attacker to escalate privileges, manipulate data, disclose information, cause a denial of service, or execute code.

CVE-2026-9064 describes a denial-of-service vulnerability in 389-ds-base where an unauthenticated attacker can send a crafted LDAP request with excessive controls, causing excessive CPU consumption and heap allocation, leading to latency degradation, worker thread starvation, or out-of-memory termination.

CVE-2026-43492 is an integer underflow vulnerability in the mpi_read_raw_from_sgl function within the lib/crypto component that could lead to unexpected behavior or denial-of-service.

SQLFluff versions prior to 4.2.0 are vulnerable to uncontrolled resource consumption (CVE-2026-46374), allowing an attacker to cause a denial of service by submitting a maliciously crafted, long SQL query.

Dasel versions 3.0.0 to 3.3.1 are vulnerable to a denial-of-service attack (CVE-2026-46378) where the selector lexer enters a non-terminating loop when tokenizing an unterminated regex pattern, causing 100% CPU usage on one core, which can be triggered by an attacker-controlled selector/query string.

An unauthenticated remote peer can exhaust the disk storage of any `@libp2p/kad-dht` node running in server mode by sending an unbounded stream of `PUT_VALUE` messages with crafted keys to bypass validation and cause disk exhaustion.

A vulnerability in Wire's protobuf group-skipping logic allows a crafted payload with a negative length to cause a runtime exception and potentially crash services decoding untrusted protobuf, addressed in version 6.3.0.

Bandit versions 1.6.0 through 1.11.0 are vulnerable to an unauthenticated denial-of-service (CVE-2026-39806) via a chunked request with trailers, where sending a request with `Transfer-Encoding: chunked` and a trailer field causes the connection's worker process to spin forever in an infinite recursion, exhausting the listener pool and rendering the server unresponsive.

An application that passes an overlong ciphertext buffer to `libcrux_chacha20poly1305::encrypt` or `libcrux_chacha20poly1305::xchacha20_poly1305::encrypt` can experience a panic, leading to a crash if the buffer length is attacker-controlled, affecting libcrux-chacha20poly1305 versions prior to 0.0.8.

An authenticated or anonymous attacker can exploit multiple vulnerabilities in Red Hat Enterprise Linux regarding Valkey to manipulate files or cause a denial-of-service condition.

Multiple vulnerabilities in Docker allow a local attacker to execute arbitrary code with administrator privileges, cause a denial-of-service condition, or manipulate data.

An authenticated or unauthenticated remote attacker can exploit multiple vulnerabilities in Red Hat Enterprise Linux and Quarkus to perform a denial of service attack, disclose sensitive information, or manipulate data.

A remote anonymous attacker can exploit multiple vulnerabilities in the Grafana component of Red Hat Enterprise Linux and OpenShift to execute arbitrary code, disclose confidential information, and cause a denial-of-service condition.

A remote, anonymous attacker can exploit multiple vulnerabilities in Ruby to cause a denial-of-service condition and disclose confidential information.

A local attacker can exploit a vulnerability in libpng to execute arbitrary program code or cause a denial-of-service condition.

A denial-of-service vulnerability, identified as CVE-2026-37458, exists in the MP_REACH_NLRI component of FRRouting versions stable/10.0 to stable/10.6, where authenticated attackers can trigger a DoS by sending a crafted UPDATE message due to missing input validation.

CVE-2026-31704 is a vulnerability in ksmbd related to the use of check_add_overflow() to prevent a u16 DACL size overflow, potentially leading to denial of service or privilege escalation.

A remotely reachable integer overflow in OpenTelemetry eBPF Instrumentation's (OBI) memcached text protocol parser can crash the OBI process, causing a denial of service due to unchecked arithmetic when handling large payload sizes in memcached storage commands.

Malformed MongoDB wire messages can trigger uncaught panics in the OpenTelemetry eBPF Instrumentation agent's MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service.

DumbAssets version 1.0.11 is vulnerable to a path traversal vulnerability in the POST /api/delete-file endpoint, allowing unauthenticated attackers to delete arbitrary files, including critical files like server.js or package.json, resulting in denial of service.

The OpenTelemetry eBPF Instrumentation (OBI) Postgres protocol parser is vulnerable to a remote availability issue - when processing BIND messages, the parser assumes payloads contain a valid NUL-terminated portal name; a crafted empty or unterminated payload can cause OBI to slice beyond the end of the captured buffer, triggering a runtime panic and crashing the agent.

Multiparty versions 4.2.3 and lower are vulnerable to denial of service via prototype pollution, where a crafted multipart/form-data request with a field name colliding with an Object.prototype property triggers a TypeError, leading to an uncaught exception and process crash.

Arcane's REST API lacks proper admin authorization checks on Git repository management endpoints, allowing any authenticated user to exfiltrate stored Git credentials and tamper with GitOps configurations by redirecting credential requests to an attacker-controlled host.

The Avro map decoder accepted attacker-controlled block-element counts, leading to unbounded map growth and potential denial-of-service via memory exhaustion; upgrading to v2.33.0 requires explicit configuration of MaxMapAllocSize to mitigate the vulnerability.

Sticky Notes Widget 3.0.6 is vulnerable to a denial-of-service attack (CVE-2021-47973), where an attacker can crash the application on iOS devices by pasting excessively long character strings into note fields.

Sticky Notes & Color Widgets 1.4.2 is vulnerable to denial of service via excessively long character strings (CVE-2021-47972), allowing attackers to crash the application.

My Notes Safe 5.3 is vulnerable to a denial-of-service attack (CVE-2021-47971) where an attacker can crash the application by pasting excessively long character strings into note fields.

Macaron Notes 5.5 is vulnerable to a denial-of-service condition (CVE-2021-47970) due to its handling of excessively long character strings in notes, leading to application crashes.

Color Notes 1.4 is vulnerable to a denial-of-service attack (CVE-2021-47969) where pasting excessively long character strings into note fields can crash the application, achieved by generating and pasting a 350,000-character payload twice into a new note.

Radare2 version 6.1.5 contains a use-after-free vulnerability (CVE-2026-8696) in the gdbr_pids_list() function, allowing remote attackers to cause a denial of service or potentially execute arbitrary code via malformed thread information responses.

The WordPress Plugin WPGraphQL version 1.3.5 is vulnerable to a denial-of-service attack where unauthenticated attackers can exhaust server resources by sending batched GraphQL queries with duplicated fields, potentially causing server out-of-memory conditions and MySQL connection errors.

Multiple vulnerabilities have been discovered in Shibboleth Identity Provider and OpenSAML Java library that allow an attacker to cause a remote denial of service and security policy bypass, addressed in versions 5.2.2 and later.

Multiple vulnerabilities in Strapi could allow an attacker to cause a denial-of-service condition, gain administrator privileges, manipulate data, disclose confidential information, or bypass security measures.

Multiple vulnerabilities in Shibboleth Identity Provider allow an attacker to perform SMTP injection or cause a denial of service.

Multiple vulnerabilities in GStreamer can be exploited by a remote, anonymous attacker to disclose information, conduct a denial-of-service attack, corrupt data, or execute arbitrary code.

Multiple vulnerabilities in AMD EPYC, Athlon, and Ryzen processors can be exploited by an attacker to execute arbitrary code, escalate privileges, bypass security measures, cause a denial-of-service condition, disclose sensitive information, or manipulate data.

Multiple vulnerabilities exist in Microsoft Windows products, enabling attackers to execute arbitrary code, escalate privileges, perform denial-of-service attacks, disclose information, or bypass security measures.

Open WebUI is vulnerable to broken object-level authorization, allowing low-privilege authenticated users to enumerate and stop global background tasks across the system, leading to a denial-of-service condition and is tracked as CVE-2026-45399 and CVE-2025-63681.

The `devalue` package is vulnerable to a denial-of-service (DoS) attack (CVE-2026-42570) due to excessive memory allocation during sparse array deserialization via `devalue.parse`, affecting versions 5.6.3 through 5.8.0.

A denial-of-service vulnerability exists in Synapse where local authenticated users can cause CPU starvation, leading to request failures for other users (CVE-2026-45078).

MongoDB published a security advisory to address CVE-2026-8053, an undefined behavior vulnerability when inserting data with duplicate field names into timeseries collections, affecting versions 5.0.0 through 8.3.1.

Vvveb before version 1.0.8.3 is vulnerable to an uncontrolled recursion vulnerability in the admin controller dispatch cycle that allows a low-privilege attacker to cause denial of service by exhausting PHP memory.

Fleet server versions prior to 4.81.0 are vulnerable to a denial-of-service (DoS) via the gRPC Launcher `PublishLogs` endpoint, where unexpected input values can cause the server process to terminate upon receiving a crafted request from an authenticated Launcher host.

A denial-of-service vulnerability exists in the Absinthe GraphQL library (versions 1.2.0 to 1.10.1), where an unauthenticated attacker can exhaust server resources by submitting a crafted GraphQL query with a large number of fragment definitions due to the quadratic complexity of fragment name uniqueness validation.

Absinthe versions 1.5.0 before 1.10.2 are vulnerable to a denial-of-service attack (CVE-2026-42793) due to unbounded atom creation when parsing GraphQL SDL documents, allowing an attacker to exhaust the Erlang VM's atom table and crash the entire node by submitting a crafted document with numerous unique directive names.

CVE-2026-42409 describes a vulnerability in F5 BIG-IP where undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate when an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, potentially leading to denial of service.

CVE-2026-41956 describes a vulnerability in F5 Networks' Traffic Management Microkernel (TMM) where undisclosed requests can cause TMM termination when a classification profile is configured on a UDP virtual server, leading to a denial-of-service condition.

NGINX Plus and NGINX Open Source are vulnerable to a heap buffer overflow (CVE-2026-42945) due to crafted HTTP requests when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed PCRE capture with a replacement string that includes a question mark, potentially leading to denial of service or code execution.

CVE-2026-40060 describes a vulnerability in F5 BIG-IP Advanced WAF and ASM security policies where undisclosed requests can cause the `bd` process to terminate, leading to a denial-of-service condition.

CVE-2026-39455 describes a denial-of-service vulnerability in the BIG-IP Configuration utility when configured with LDAP authentication, where undisclosed traffic can cause the httpd process to exhaust file descriptors.

An unauthenticated, adjacent attacker can disrupt Palo Alto Networks Prisma SD-WAN ION devices by sending a specially crafted IPv6 packet, leading to a denial-of-service condition.

Unauthenticated attackers can cause a denial of service (DoS) condition on Palo Alto Networks PAN-OS firewalls by sending specially crafted network traffic, as described in CVE-2026-0262.

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-7635), allowing unauthenticated attackers to inject a crafted PHP serialized payload via the User-Agent header, leading to a persistent Denial of Service condition.

An authenticated remote attacker can exploit vulnerabilities in MongoDB to execute arbitrary code, manipulate data, disclose confidential information, or cause a denial-of-service condition.

Multiple vulnerabilities in Aruba ArubaOS could allow an attacker to perform a denial of service attack, disclose information, perform a SQL injection attack, bypass security measures, and execute arbitrary code.

A local attacker can exploit multiple vulnerabilities in Adobe Creative Cloud applications to execute arbitrary program code, disclose confidential information, or cause a denial-of-service condition.

A remote, authenticated attacker can exploit a vulnerability in Fortinet FortiAnalyzer and FortiManager to perform a denial-of-service attack, disrupting normal operations.

Multiple vulnerabilities in Microsoft developer tools and platforms could allow an attacker to achieve arbitrary code execution, data manipulation, privilege escalation, bypassing security measures, information disclosure, and denial of service.

A remote, anonymous attacker can exploit a vulnerability in strongSwan's eap-mschapv2 plugin to cause a denial of service condition or possibly execute arbitrary code.

An authenticated remote attacker can exploit a vulnerability in Langflow to perform a denial-of-service attack, impacting system availability.

Klever-Go's MultiDataInterceptor is vulnerable to a remote denial-of-service (DoS) attack. By sending a crafted compressed P2P payload, an unauthenticated attacker can trigger excessive memory allocation on the receiving node, leading to an out-of-memory (OOM) condition and potentially disrupting chain liveness.

A memory leak vulnerability exists in UltraJSON's `ujson.dump()` function; when writing to a file-like object, if the write operation raises an exception, the serialized JSON string object is not properly de-referenced, leading to a memory leak (CVE-2026-44660).

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are susceptible to an uncontrolled resource consumption vulnerability, potentially leading to a denial-of-service condition by exhausting system resources.

CVE-2026-42899 describes an infinite loop vulnerability in ASP.NET Core that allows an unauthorized attacker to perform a denial of service attack over a network.

A null pointer dereference vulnerability exists in Windows TCP/IP, allowing an unauthorized attacker on an adjacent network to cause a denial-of-service condition.

CVE-2026-40413 is a null pointer dereference vulnerability in Windows TCP/IP that allows an unauthenticated attacker on an adjacent network to cause a denial-of-service condition.

CVE-2026-40401 is a null pointer dereference vulnerability in Windows TCP/IP that allows a local, unauthorized attacker to cause a denial of service.

protobuf.js is vulnerable to a denial-of-service (DoS) attack (CVE-2026-44289) due to unbounded recursion while decoding nested protobuf data, potentially leading to stack exhaustion and process crashes when processing crafted protobuf binary payloads.

Multiple vulnerabilities in dnsmasq could allow an attacker to cause a denial of service, execute arbitrary code with root privileges, disclose sensitive information, manipulate data, and redirect users to malicious domains.

Multiple vulnerabilities exist in Apple macOS Sonoma, macOS Sequoia, and macOS Tahoe that could allow an attacker to elevate privileges, conduct a denial-of-service attack, disclose information, execute arbitrary code, and bypass security measures.

Multiple vulnerabilities in IBM DB2 Big SQL could allow an attacker to perform a denial of service attack and execute arbitrary code.

A remote, anonymous attacker can exploit multiple vulnerabilities in Red Hat Enterprise Linux to execute arbitrary code or cause a denial-of-service condition.

GhostLock is a proof-of-concept tool that abuses the Windows CreateFileW API to block access to files on local and SMB network shares, causing a denial-of-service condition.

Bird-lg-go is vulnerable to a denial-of-service (DoS) attack (CVE-2026-45047) where an unauthenticated remote attacker can cause an out-of-memory error by streaming an extremely large JSON payload to the apiHandler, leading to termination of the bird-lg-go daemon.

Next.js applications using Partial Prerendering through Cache Components are vulnerable to connection exhaustion (CVE-2026-44579), where crafted POST requests to a server action trigger a request-body handling deadlock, consuming server capacity and leading to denial of service.

Urllib3 versions before 2.7.0 are vulnerable to excessive resource consumption when using the streaming API to decompress responses, particularly when using the Brotli library or calling HTTPResponse.drain_conn() after partial decompression, leading to high CPU usage and memory allocation, potentially causing a denial-of-service condition (CVE-2026-44432).

@vitejs/plugin-rsc is vulnerable to a denial-of-service attack due to an embedded vulnerable version of react-server-dom-webpack, potentially causing resource exhaustion.

A malformed HTTP request can crash any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint has no error handling around URL parsing, so a request with an invalid URI causes an uncaught `TypeError` that terminates the process, leading to a denial of service. Update `@opentelemetry/exporter-prometheus` and `@opentelemetry/sdk-node` to version **0.217.0** or later and `@opentelemetry/auto-instrumentations-node` to version **0.75.0** or later to remediate.

Multiple vulnerabilities in KDE Kdenlive and Okular allow a remote, anonymous attacker to execute arbitrary code, bypass security measures, manipulate data, disclose confidential information, or cause a denial-of-service condition.

A remote, anonymous attacker can exploit multiple vulnerabilities in Red Hat Hardened Images RPMs to cause a denial-of-service condition and possibly manipulate data or perform path traversal attacks.

A remote, anonymous attacker can exploit multiple vulnerabilities in strongSwan to conduct a denial-of-service attack or potentially achieve arbitrary code execution.

CVE-2026-23276 is a net vulnerability affecting tunnel xmit functions, requiring a fix to add an xmit recursion limit.

Multiple vulnerabilities in SmarterTools SmarterMail could allow an attacker to gain elevated privileges, bypass security measures, manipulate data, disclose sensitive information, cause a denial-of-service condition, or carry out other unspecified attacks.

memono Notepad 4.2 is vulnerable to a denial-of-service attack, allowing attackers to crash the application by pasting excessively long character buffers (specifically, two pastes of 350,000 repeated characters) into note fields on iOS devices, as tracked by CVE-2021-47944.

The free5GC NRF's /oauth2/token endpoint is vulnerable to a type confusion vulnerability due to incorrect parsing of form data, leading to a denial-of-service via unauthenticated requests.

A nil pointer dereference vulnerability exists in free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler when UDR access fails, causing a denial-of-service condition.

The @fastify/accepts-serializer package is vulnerable to a denial of service (DoS) attack due to unbounded cache growth, where an attacker can send many distinct Accept header variants, causing the cache to grow unbounded, exhausting the Node.js heap, and crashing the process.

A stack-based buffer overflow vulnerability exists in Dronecode PX4 Autopilot versions up to and including 1.17.0-rc2 that allows an attacker with MAVLink link access to cause a denial of service by creating a deeply nested directory via MAVLink FTP and then requesting the log list, crashing the MAVLink task.

A crafted Orchard transaction with a zero-value rk field can cause a Zebra node to crash due to a panic in the orchard crate, leading to a denial-of-service condition; this vulnerability is identified as CVE-2026-41584 and patched in zebrad version 4.3.1 and zebra-chain version 6.0.2.

A stack-based buffer overflow vulnerability exists in the `tattu_can` driver of Dronecode PX4-Autopilot versions 1.17.0-rc1 and earlier; by injecting specially crafted CAN frames, an attacker can trigger an unbounded memcpy operation, leading to a stack corruption and subsequent crash of the PX4 process, resulting in a denial of service.

Multiple vulnerabilities in AxonFlow platform versions prior to 7.5.0, including multi-tenant isolation issues and SQL injection, could lead to unauthorized access, information disclosure, denial of service, and other security impacts; AxonFlow v7.5.0 resolves these issues.

An unauthenticated remote attacker can cause a denial-of-service condition on Cisco Crosswork Network Controller and Network Services Orchestrator by exhausting connection resources via a high volume of connection requests.

Bandit versions 0.5.8 before 1.11.0 are vulnerable to denial of service when permessage-deflate is enabled, allowing an unauthenticated client to exhaust the BEAM's memory with a single, small, compressed WebSocket frame due to unbounded decompression.

Netty's HttpContentDecompressor and DelegatingDecompressorFrameListener are vulnerable to a decompression bomb denial-of-service attack because the maxAllocation parameter is not enforced when Content-Encoding is set to br (Brotli), zstd, or snappy, allowing attackers to bypass decompression limits and cause unbounded memory allocation.

Netty's Lz4FrameDecoder is vulnerable to resource exhaustion, where an attacker can cause excessive memory allocation by sending a small, crafted header, leading to a denial-of-service condition; this affects netty-codec-compression versions up to 4.2.12.Final and netty-codec versions up to 4.1.132.Final.

The ldap3_proto package is vulnerable to LDAP Filter stack exhaustion due to unbounded query depth, potentially causing a denial of service in applications processing LDAP queries, affecting versions before 0.7.1.

An unauthenticated GET request with deeply nested parentheses in the SCIM filter parameter can cause stack exhaustion and process termination in Kanidm, leading to denial of service.

Netty's epoll transport fails to properly close TCP connections that receive a RST after a half-close, leading to resource exhaustion and potential CPU busy-loops, impacting service availability.

Snappier versions 1.3.0 and earlier are vulnerable to a denial-of-service condition where a malformed Snappy stream input to `SnappyStream` decompression causes an infinite loop, consuming a thread until the process is terminated.

Cisco released security advisories on May 6, 2026, addressing vulnerabilities including remote code execution, server-side request forgery, and denial of service in Crosswork Network Controller, IoT Field Network Director, Network Services Orchestrator, SG350/SG350X Managed Switches, and Unity Connection.

WatchGuard Agent on Windows (version 1.25.02.0000 and prior) is vulnerable to multiple privilege escalation and denial-of-service vulnerabilities, potentially allowing local attackers to execute arbitrary code with SYSTEM privileges or cause a denial of service.

A remote, authenticated attacker can cause a denial-of-service condition on vulnerable Cisco SG350 and SG350X Series Managed Switches by sending a crafted SNMP request due to improper error handling.

A low-privileged user with user creation permissions in Grav CMS can overwrite existing accounts, including the primary administrator, leading to a Denial of Service (DoS) and privilege de-escalation by exploiting a business logic vulnerability in versions prior to 2.0.0-beta.2.

The webonyx/graphql-php library has an unbounded recursion vulnerability in its parser that can lead to a stack overflow, causing a denial of service by terminating the PHP process with a SIGSEGV.

An unauthenticated remote denial-of-service vulnerability in Plug.Cowboy allows attackers to exhaust the BEAM atom table via HTTP/2 requests, crashing the Erlang VM.

A remote, authenticated attacker can exploit multiple vulnerabilities in Asterisk's pjproject to cause denial-of-service or memory corruption, potentially leading to code execution or security bypass.

Multiple vulnerabilities in Rapid7 Velociraptor could allow an attacker to perform a denial-of-service attack or disclose sensitive information.

A local attacker can exploit a vulnerability in Red Hat Hardened Images RPMs to execute arbitrary code or cause a denial of service.

Multiple vulnerabilities in Vaultwarden could be exploited by an attacker to bypass security measures, conduct a denial-of-service attack, and disclose information, potentially leading to unauthorized access and service disruption.

Multiple vulnerabilities in Red Hat Hardened Images RPMs can be exploited by an attacker to bypass security measures, escalate privileges, disclose sensitive information, manipulate data, or cause a denial-of-service condition.

A local attacker can exploit vulnerabilities in X.Org X11 and Xwayland to perform unspecified attacks, including memory corruption, information disclosure, or a denial-of-service condition.

A remote, anonymous attacker can exploit a vulnerability in Podman Desktop to perform a denial of service attack and disclose sensitive information.

A local attacker can exploit a vulnerability in tigervnc to disclose information, manipulate files, and perform a denial of service attack.

Multiple vulnerabilities in Intel Firmware allow a local attacker to escalate privileges, cause a denial-of-service condition, or disclose sensitive information.

Multiple vulnerabilities in OpenSSL can be exploited by a remote attacker to conduct a denial-of-service attack, disclose information, or recover ciphertext over a network.

Multiple vulnerabilities in Asterisk versions 20.18.x before 20.19.0, 21.12.x before 21.12.2, 22.8.x before 22.9.0, 23.2.x before 23.3.0, certified-asterisk 20.x before 20.7-cert10, and certified-asterisk 22.x before 22.8-cert2 allow a remote attacker to cause a denial of service.

The Prometheus remote read endpoint is vulnerable to denial of service due to a missing validation of the declared decoded length in snappy-compressed request bodies, allowing unauthenticated attackers to exhaust memory resources.

Multiple denial-of-service vulnerabilities exist in `gix-pack`; crafted delta data can cause unchecked array indexing, leading to panics, and uncapped attacker-controlled size headers enable out-of-memory process kills, triggered by malicious pack data during clone/fetch operations.

OpenClaw versions prior to 2026.4.10 are vulnerable to a denial-of-service attack where remote attackers can send oversized WebSocket frames to the voice-call realtime path, causing service unavailability.

Multiple vulnerabilities in Apache HTTP Server can be exploited by an attacker to gain elevated privileges, execute arbitrary code, bypass security measures, disclose sensitive information, or cause a denial-of-service condition.

Multiple vulnerabilities in vm2 allow attackers to execute arbitrary code, perform denial of service, disclose information, and bypass security measures.

Multiple vulnerabilities in Prometheus could allow an attacker to perform a Denial of Service attack, disclose sensitive information, or execute Cross-Site Scripting attacks.

Argo Workflows is vulnerable to a denial-of-service (DoS) attack due to unbounded memory allocation in the Webhook Interceptor component.

The Contact Form 7 WordPress plugin through version 2.6.7 is vulnerable to uncontrolled resource consumption, allowing unauthenticated attackers to exhaust server memory and crash the PHP process by supplying an arbitrarily large integer value to the REST API endpoint, leading to unbounded loop execution.

A heap buffer overflow vulnerability in BusyBox's DHCPv6 client allows network-adjacent attackers to trigger memory corruption, denial of service, or arbitrary code execution via crafted DHCPv6 responses.

A remote, anonymous attacker can exploit multiple vulnerabilities in mutt to bypass security measures and cause a denial-of-service condition.

A local attacker can exploit a vulnerability in libexif to potentially execute arbitrary code, cause a denial of service, or disclose sensitive information.

A remote, authenticated attacker can exploit a vulnerability in MariaDB to perform a denial of service attack and potentially execute arbitrary program code.

Multiple vulnerabilities in Rapid7 Velociraptor could allow an attacker to disclose information or cause a denial of service.

Prosody versions before 0.12.6, versions 1.0.0 through 13.0.0, and before version 13.0.5 are vulnerable to a denial of service due to memory leaks from unauthenticated connections, leading to memory exhaustion.

CVE-2026-0967 is a denial-of-service vulnerability in libssh, stemming from inefficient regular expression processing that could lead to defense evasion and impact availability on affected systems.

A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read, potentially causing information disclosure or denial of service.

A vulnerability in ABB's IEC 61850 communication stack allows a remote attacker with access to the IEC 61850 network to cause a denial-of-service condition by sending a specially crafted packet, leading to device faults or communication driver crashes.

Multiple vulnerabilities in Absolute Secure Access could allow an attacker to escalate privileges, conduct a denial-of-service attack, and disclose sensitive information.

Multiple vulnerabilities in SonicWall SonicOS allow a remote attacker to escalate privileges, bypass security measures, or cause a denial-of-service condition.

A remote, anonymous attacker can exploit multiple vulnerabilities in Fast Datapath for Red Hat Enterprise Linux to perform a denial-of-service attack or disclose sensitive information.

A remote, unauthenticated attacker can exploit an unpatched vulnerability in libsndfile to cause a denial of service.

Multiple vulnerabilities in CUPS allow an attacker to bypass security measures, execute arbitrary code, escalate privileges, manipulate data, or cause a denial-of-service condition.

Multiple vulnerabilities exist in Xen and Citrix Systems XenServer that could allow an attacker to escalate privileges, bypass security measures, modify and disclose data, or cause a denial-of-service condition.

Multiple vulnerabilities in DNSdist can be exploited by an attacker to perform a denial of service attack, impacting the availability of DNS services.

CVE-2026-32283 is a vulnerability in crypto/tls that allows unauthenticated TLS 1.3 KeyUpdate records, leading to persistent connection retention and a denial-of-service condition.

CVE-2026-28388 is a NULL Pointer Dereference vulnerability in an unspecified Microsoft product when processing a Delta CRL, potentially leading to a denial-of-service condition.

Multiple vulnerabilities in the Red Hat Linux kernel allow for arbitrary code execution, privilege escalation, and remote denial of service.

Multiple vulnerabilities in Exim versions prior to 4.99.2 allow an attacker to cause a remote denial of service, a breach of data confidentiality, and an unspecified security problem.

A remote, anonymous attacker can exploit multiple vulnerabilities in GNU libc to execute arbitrary program code, cause a denial-of-service condition, or disclose sensitive information.

Multiple vulnerabilities in Red Hat Enterprise Linux's LibRaw component allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

CoreDNS' DNS-over-QUIC (DoQ) server can be driven into large goroutine and memory growth by a remote client that opens many QUIC streams and stalls after sending only 1 byte, leading to denial of service in versions before 1.14.3.

OpenClaw before 2026.3.28 is vulnerable to a denial-of-service attack by accepting unbounded concurrent unauthenticated WebSocket upgrades, allowing attackers to exhaust server resources.

CVE-2026-23398 is a vulnerability related to a NULL pointer dereference in the ICMP protocol, potentially leading to a denial-of-service condition in affected Microsoft products.

A malformed `workflows.argoproj.io/pod-gc-strategy` annotation in an Argo Workflow pod can trigger an unchecked array index in the `podGCFromPod()` function, leading to a controller-wide panic and denial-of-service.

CVE-2026-31507 is a double-free vulnerability in the net/smc module that occurs when the tee() function duplicates a splice pipe buffer, potentially leading to memory corruption and denial of service.

CVE-2026-34282 is a remotely exploitable vulnerability in the Networking component of Oracle Java SE and GraalVM that allows an unauthenticated attacker to cause a complete denial of service.

NestJS versions before 11.1.19 are susceptible to an uncontrolled recursion vulnerability (CVE-2026-40879) where sending many small JSON messages in a single TCP frame triggers a call stack overflow, resulting in a denial-of-service condition.

A local attacker can exploit a vulnerability in util-linux to perform a denial of service attack and disclose sensitive information.

Remote, anonymous attackers can exploit vulnerabilities in Red Hat Hardened Images RPMs to bypass security measures, cause denial of service, disclose sensitive information, or potentially execute code.

Multiple vulnerabilities in Microsoft Visual Studio, .NET Framework, .NET, PowerShell, and Visual Studio Code can be exploited by an attacker to disclose sensitive information, conduct spoofing attacks, cause a denial of service, or bypass security measures, potentially leading to arbitrary code execution.

Multiple vulnerabilities in libarchive can be exploited by a remote attacker to disclose information or cause a denial-of-service condition.

An unauthenticated attacker can trigger a denial-of-service condition on vulnerable Firebird servers by sending a specially crafted op_crypt_key_callback packet, leading to a null pointer dereference and server crash.

Firebird versions before 5.0.4, 4.0.7, and 3.0.14 are vulnerable to a buffer overflow in the xdr_datum() function during slice packet deserialization, enabling unauthenticated attackers to cause a crash or potentially achieve arbitrary code execution by sending a malicious packet.

A remote attacker can exploit an out-of-bounds write vulnerability (CVE-2026-6507) in dnsmasq by sending a specially crafted BOOTREPLY packet to a server configured with the `--dhcp-split-relay` option, leading to a denial of service.

HashiCorp Vault is vulnerable to a denial-of-service (DoS) condition, identified as CVE-2026-5807, where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, preventing legitimate operators from completing these workflows.

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service, addressed in Vault versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

A vulnerability in the go-markdown library exists where processing a malformed input containing a '<' character that is not followed by a '>' character with a SmartypantsRenderer can lead to an out-of-bounds read or a panic, causing a denial of service.

An unauthenticated, remote attacker can exploit an out-of-bounds read vulnerability (CVE-2026-33096) in Windows HTTP.sys to cause a denial-of-service condition.

CVE-2026-32071 is a null pointer dereference vulnerability in the Windows Local Security Authority Subsystem Service (LSASS), allowing an unauthorized network attacker to cause a denial-of-service condition.

CVE-2026-26171 is a vulnerability in .NET that allows an unauthorized attacker to perform a denial-of-service attack over a network due to uncontrolled resource consumption.

A remote, anonymous attacker can exploit a vulnerability in libTIFF to potentially execute arbitrary code or cause a denial-of-service condition.

A denial-of-service vulnerability exists in jq versions prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 due to the use of a hardcoded seed in MurmurHash3, enabling attackers to craft JSON objects that trigger hash collisions and cause excessive CPU consumption.

A denial-of-service vulnerability exists in NestJS's @nestjs/microservices package, affecting versions 11.1.18 and earlier, where an attacker can send multiple small, valid JSON messages within a single TCP frame, causing a stack overflow.

A vulnerability exists in @sveltejs/adapter-node where requests could bypass the `BODY_SIZE_LIMIT` on SvelteKit applications, potentially leading to denial of service.

CVE-2026-33797 is an improper input validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved that allows an unauthenticated adjacent attacker to reset established BGP sessions via a specific BGP packet, leading to a denial of service condition.

A remote, unauthenticated attacker can exploit CVE-2026-1584 in gnutls by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake, leading to a NULL pointer dereference and a denial-of-service condition.

A denial of service vulnerability, CVE-2026-23869, exists in React Server Components due to excessive CPU usage triggered by specially crafted HTTP requests to Server Function endpoints, potentially leading to service disruption.

A remote, unauthenticated attacker can cause resource exhaustion in Saleor e-commerce platforms via maliciously crafted GraphQL API requests, leading to denial of service.

Podman Desktop versions prior to 1.26.2 expose an unauthenticated HTTP server, allowing remote attackers to trigger denial-of-service conditions by exhausting resources and extract sensitive information through verbose error responses.

NVIDIA Triton Inference Server is vulnerable to denial of service due to insufficient input validation that, when combined with a large number of outputs, can cause a server crash.

A remote attacker can exploit multiple vulnerabilities in Apache Traffic Server to conduct a denial of service or request smuggling attack.

A remote, anonymous attacker can exploit a vulnerability in OpenSSH GSSAPI and Ubuntu Linux to trigger undefined behavior or a potential denial-of-service attack.

A heap-buffer-overflow read vulnerability exists in openFPGALoader 1.1.1 and earlier, allowing out-of-bounds heap memory access via a crafted .pof file, potentially leading to denial of service or information disclosure.

A denial-of-service vulnerability, CVE-2025-57834, exists in Samsung Exynos processors and modems due to improper input validation, potentially leading to device malfunction or service disruption.

An unauthenticated attacker can exploit an uncontrolled resource consumption vulnerability in Mesop versions 1.2.3 to 1.2.4 by sending a rapid succession of WebSocket messages, leading to thread exhaustion and a denial-of-service condition.

A vulnerable libp2p-rendezvous server can be crashed via a denial-of-service attack where an unauthenticated peer registers unlimited namespaces, leading to memory exhaustion.

A remote, unauthenticated attacker can cause a denial of service by sending crafted input to vulnerable versions of the Amazon Athena ODBC driver, triggering excessive resource consumption during parsing operations.

Suricata versions 8.0.0 to before 8.0.4 exhibit a quadratic complexity vulnerability (CVE-2026-31934) when searching for URLs in MIME-encoded SMTP messages, leading to significant performance degradation and potential denial-of-service conditions; this is fixed in version 8.0.4.

A vulnerability in the multipart parsing logic of gleam-wisp allows an unauthenticated attacker to bypass request size limits and cause a denial of service by exhausting server memory or disk.

Hirschmann EagleSDV devices are vulnerable to denial-of-service (DoS) attacks where a device crash can be triggered by establishing TLS 1.0 or TLS 1.1 connections, leading to service disruption.

A heap overflow vulnerability in the HiLCOS web interface of Hirschmann Industrial IT products (CVE-2024-14033) allows unauthenticated remote attackers to cause a denial-of-service condition by sending specially crafted requests, leading to device crashes and service disruption, particularly when the Public Spot functionality is enabled.

Suricata versions 8.0.0 to before 8.0.4 are vulnerable to a NULL dereference crash when using the 'tls.alpn' rule keyword, potentially leading to a denial of service.

An unauthenticated attacker can exploit CVE-2026-31932, a vulnerability in Suricata versions prior to 7.0.15 and 8.0.4, to cause performance degradation due to inefficient KRB5 buffering.

An unauthenticated attacker can cause a denial-of-service on Keycloak servers by sending a crafted POST request to the OIDC token endpoint with an excessively long scope parameter, leading to high resource consumption.

CVE-2026-35092 is an integer overflow vulnerability in Corosync's join message sanity validation, allowing a remote, unauthenticated attacker to send crafted UDP packets, resulting in a denial of service condition.

A remote, anonymous attacker can exploit a vulnerability in gdk-pixbuf to cause a denial of service and potentially execute arbitrary code.

A remote, anonymous attacker can exploit multiple vulnerabilities in libpng to execute arbitrary program code or cause a denial of service.

A remote, anonymous attacker can exploit a vulnerability in various HTTP/2 implementations to perform a denial-of-service attack.

A local attacker can exploit a vulnerability in libxslt on Red Hat Enterprise Linux to cause a denial of service or execute arbitrary program code.

A remote, authenticated attacker can exploit multiple vulnerabilities in Django to perform SQL injections, disclose confidential information, or cause a denial-of-service condition.

CVE-2026-24148 is a vulnerability in NVIDIA Jetson for JetPack's system initialization logic, where an unprivileged attacker can cause the initialization of a resource with an insecure default, potentially leading to information disclosure, data tampering, and denial of service.

A vulnerability in the iconv() function of the GNU C Library (versions 2.43 and earlier) can cause a crash due to an assertion failure when handling IBM1390 or IBM1399 character sets, potentially leading to remote application denial-of-service.

A remote, unauthenticated attacker can crash applications using libp2p-gossipsub versions prior to 0.49.4 by sending a crafted PRUNE control message with a near-maximum backoff value, causing an arithmetic overflow during heartbeat processing.

Multiple vulnerabilities in Fleet allow an attacker to perform SQL injection, denial of service, bypass security measures, disclose information, and execute arbitrary program code with administrator privileges.

Multiple vulnerabilities in Internet Systems Consortium BIND can be exploited by a remote attacker to conduct a denial of service attack or bypass security measures.

Multiple vulnerabilities in NGINX Plus and NGINX can be exploited by an attacker to perform a denial of service attack, manipulate data, bypass security measures, and potentially execute arbitrary program code, leading to significant impact.

An integer overflow vulnerability in Tinyproxy's HTTP chunked transfer encoding parser (versions <= 1.11.3) allows an unauthenticated remote attacker to cause a denial of service by sending a crafted chunk size that bypasses validation, leading to resource exhaustion.

A vulnerability in the antchfx/xpath package allows for denial of service via CPU exhaustion by exploiting boolean expressions that evaluate to true, leading to an infinite loop.

A vulnerability in MinIO allows authenticated users with `s3:PutObject` permission to inject internal server-side encryption metadata into objects via crafted replication headers, leading to permanent data unreadability.

EVerest, an EV charging software stack, has an out-of-bounds access vulnerability in versions prior to 2026.02.0, which can lead to remote crash or memory corruption when the CSMS sends UpdateAllowedEnergyTransferModes over the network.

CVE-2026-4926 describes a denial-of-service vulnerability due to an inefficient regular expression complexity issue when handling multiple sequential optional groups, leading to exponential growth and resource exhaustion.

CVE-2025-59032 describes a vulnerability in ManageSieve's AUTHENTICATE command, where using a literal as a SASL initial response can crash the ManageSieve service, leading to a denial-of-service condition.

The c2cciutils package is vulnerable to denial of service due to an uncontrolled recursion vulnerability (CWE-674) in the pyasn dependency, specifically versions before 1.1.65.

A denial of service vulnerability exists in Netty's HTTP/2 server implementation where an unauthenticated user can exhaust server CPU resources by sending a flood of CONTINUATION frames with zero-byte payloads, bypassing size-based mitigations and leading to service unavailability with minimal bandwidth usage; affected versions include netty-codec-http2 < 4.1.132.Final and netty-codec-http2 versions >= 4.2.0.Alpha1 and < 4.2.10.Final.