Remote Memory Exhaustion Vulnerability in open62541 by open62541
CVE-2026-11946
7.5HIGH
Key Information:
- Status
- Vendor
- CVE Published:
- 2 July 2026
What is CVE-2026-11946?
A significant vulnerability in open62541 allows an unauthenticated remote attacker to exploit the GetEndpoints Discovery Service by sending oversized 'endpointUrl' strings. The service does not properly validate the length of this input, enabling attackers to exhaust server memory. By transmitting data in large chunks, up to approximately 4.09 GB, the attacker can keep the server's memory filled indefinitely, since the server buffers the incoming data until a SecureChannel timeout occurs. This pre-session attack effectively bypasses any encryption measures in place.
Affected Version(s)
open62541 1.4.0 <= 1.4.16
open62541 1.5.0 <= 1.5.4
open62541 master
