Memory Exhaustion Vulnerability in open62541 Server by open62541
CVE-2026-33592

7.5HIGH

What is CVE-2026-33592?

A vulnerability exists in the FindServers Discovery Service of open62541, where an unauthenticated remote attacker could exploit inadequate validation of the serverUris field in FindServersRequest. This can lead to server memory exhaustion, as an attacker can submit an excessively large string—up to approximately 3.9 GB—through multiple chunks without sending a final chunk. Consequently, this causes server memory to be consumed indefinitely. Moreover, the attack occurs prior to any session establishment, thus circumventing any encryption settings that may be in place.

Affected Version(s)

open62541 1.4.0 <= 1.4.16

open62541 1.5.0 <= 1.5.4

open62541 master

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lorenzo Cannella from Fondazione Ugo Bordoni (FUB)
.