Memory Exhaustion

A memory exhaustion vulnerability exists in `@libp2p/gossipsub` due to unbounded subscription handling, allowing a single attacker to exhaust a Node.js heap by flooding unique topic subscriptions, leading to denial-of-service.

Mailpit is vulnerable to an unauthenticated remote memory-exhaustion denial-of-service attack due to missing size limits on incoming SMTP DATA and HTTP requests, leading to unbounded memory and disk growth, potentially crashing the application.

The Avro map decoder accepted attacker-controlled block-element counts, leading to unbounded map growth and potential denial-of-service via memory exhaustion; upgrading to v2.33.0 requires explicit configuration of MaxMapAllocSize to mitigate the vulnerability.

A vulnerability exists in the vm2 npm package (<= 3.10.5) where sandboxed code can bypass the timeout protection by calling Buffer.alloc() with an arbitrary size, leading to memory exhaustion on the host system.

Prosody versions before 0.12.6, versions 1.0.0 through 13.0.0, and before version 13.0.5 are vulnerable to a denial of service due to memory leaks from unauthenticated connections, leading to memory exhaustion.

A memory exhaustion vulnerability (CVE-2026-33155) exists in a widely used Python library, affecting services like SageMaker, DataHub, and acryl-datahub due to an incomplete patch for CVE-2025-58367, requiring pinning to version 8.6.2.

Micronaut's `TimeConverterRegistrar` has an unbounded `formattersCache` that allows memory exhaustion via a crafted `Accept-Language` header, where an unauthenticated attacker can crash the JVM by sending requests with novel locale tags to `@Format`-annotated endpoints, growing the cache until heap memory is exhausted, affecting Micronaut applications with `micronaut-context` versions 4.3.0 and above, up to but not including 4.10.22.

An unauthenticated attacker can exhaust server memory by sending unbounded WebSocket continuation frames in Bandit-fronted applications, leading to a denial of service.

A vulnerability in Hickory DNS's NSEC3 closest-encloser proof validation allows a remote attacker to cause a denial of service by exhausting memory when processing crafted DNS responses with mismatched SOA records.