{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/element/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["matrix-synapse (\u003c 1.152.1)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","synapse","cpu-starvation"],"_cs_type":"advisory","_cs_vendors":["Element"],"content_html":"\u003cp\u003eA denial-of-service (DoS) vulnerability, identified as CVE-2026-45078, affects Synapse, a Matrix homeserver implementation. Local authenticated users can exploit this vulnerability to starve other requests of CPU resources, causing request failures and denying service to other users. This vulnerability is present in Synapse versions prior to 1.152.1. Homeservers that trust all their local users are not at risk. Element has released Synapse version 1.152.1 to address this issue. Applying rate limiting at a reverse proxy deployed in front of Synapse can mitigate the impact.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA local, authenticated user logs into the Synapse homeserver.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a series of requests that consume excessive CPU resources on the Synapse server. This could involve complex queries, large data transfers, or computationally intensive operations.\u003c/li\u003e\n\u003cli\u003eThe attacker sends these crafted requests to the Synapse server.\u003c/li\u003e\n\u003cli\u003eThe Synapse server begins processing the attacker\u0026rsquo;s requests, dedicating significant CPU resources to them.\u003c/li\u003e\n\u003cli\u003eLegitimate user requests arrive at the Synapse server.\u003c/li\u003e\n\u003cli\u003eDue to the CPU resources being consumed by the attacker\u0026rsquo;s requests, legitimate user requests are delayed or dropped.\u003c/li\u003e\n\u003cli\u003eUsers experience degraded performance or complete denial of service.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully causes a denial of service by exhausting CPU resources, preventing other users from accessing the Synapse homeserver.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial of service, preventing legitimate users from accessing the Synapse homeserver. The number of affected users depends on the size and activity of the Synapse deployment. Organizations relying on Synapse for critical communication may experience significant disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Synapse to version 1.152.1 or later to patch CVE-2026-45078.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, configure a reverse proxy in front of Synapse to limit the rate of user requests, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor CPU usage on the Synapse server for unusual spikes that may indicate an ongoing attack. Use process accounting logs to identify high-CPU processes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect High CPU Usage by Synapse Process\u0026rdquo; to identify potential DoS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T16:25:15Z","date_published":"2026-05-14T16:25:15Z","id":"https://feed.craftedsignal.io/briefs/2026-05-synapse-cpu-starvation/","summary":"A denial-of-service vulnerability exists in Synapse where local authenticated users can cause CPU starvation, leading to request failures for other users (CVE-2026-45078).","title":"Synapse CPU Starvation Denial of Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-synapse-cpu-starvation/"}],"language":"en","title":"CraftedSignal Threat Feed — Element","version":"https://jsonfeed.org/version/1.1"}