<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Rpcx - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/rpcx/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 20:18:47 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/rpcx/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-59803: rpcx Denial-of-Service Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-rpcx-dos/</link><pubDate>Wed, 08 Jul 2026 20:18:47 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-rpcx-dos/</guid><description>A denial-of-service vulnerability (CVE-2026-59803) in rpcx through version 1.9.3 allows an unauthenticated attacker to trigger out-of-memory conditions and service unavailability by sending a small, compressed message that expands to gigabytes of memory during decompression.</description><content:encoded><![CDATA[<p>A critical denial-of-service (DoS) vulnerability, tracked as CVE-2026-59803, exists in the popular rpcx Go RPC framework, affecting all versions up to 1.9.3. This vulnerability stems from improper handling of compressed messages within the <code>protocol.Message.Decode</code> function in <code>protocol/message.go</code>. An unauthenticated attacker can exploit this by sending a specially crafted, small (under 2 MB) gzip-compressed message. The <code>util.Unzip</code> function, used for decompression, lacks size limits on its output, allowing the small input to expand into gigabytes of memory allocation. The existing <code>protocol.MaxMessageLength</code> guard is ineffective as it only checks the compressed frame length, not the expanded decompressed size. This &quot;decompression bomb&quot; leads to out-of-memory conditions, causing the rpcx service to crash and become unavailable.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker establishes a connection to a vulnerable rpcx service.</li>
<li>The attacker crafts a malicious rpcx message with the compression flag set.</li>
<li>The payload of this message consists of a small (under 2 MB) gzip-compressed data stream engineered to expand exponentially upon decompression.</li>
<li>The attacker sends this crafted message over the established connection to the rpcx service.</li>
<li>The rpcx service's <code>readRequest</code> function receives the message prior to any authentication checks.</li>
<li>The <code>protocol.Message.Decode</code> function is invoked to process the message, which subsequently calls <code>util.Unzip</code> to decompress the payload.</li>
<li>During the decompression process, the maliciously crafted payload expands to consume gigabytes of the service's memory.</li>
<li>The service encounters an out-of-memory (OOM) condition, leading to its crash and resulting in a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The primary impact of CVE-2026-59803 is the complete denial of service for affected rpcx applications. Exploitation is unauthenticated, meaning any external attacker can crash vulnerable services, rendering them unavailable to legitimate users. This can lead to significant operational disruption, data unavailability, and potential financial losses for organizations relying on rpcx for their services. While no specific victim count or targeted sectors are available, any organization deploying rpcx services through version 1.9.3 is at risk of this easily triggered DoS.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-59803 immediately by upgrading rpcx to a patched version (1.9.4 or later) or applying commit 047aec1.</li>
<li>Monitor your rpcx application hosts for sudden spikes in memory usage or unexpected service restarts, which could indicate attempted exploitation of CVE-2026-59803.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>rpcx</category><category>go-lang</category></item></channel></rss>