Memory Management Issue in Next.js Framework by Vercel
CVE-2026-44577

5.9MEDIUM

Key Information:

Vendor: Vercel
Status: Next.js
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44577?

The Next.js framework, developed by Vercel, contains a vulnerability related to its Image Optimization API. When using the default image loader, the API can fetch local images without enforcing a size limit, leading to potential out-of-memory issues. An attacker could exploit this by requesting overly large local assets via the /_next/image endpoint, which may overwhelm the server's memory resources. This issue has been addressed in Next.js updates 15.5.16 and 16.2.5, highlighting the significance of keeping libraries up to date.

Affected Version(s)

next.js >= 10.0.0, < 15.5.16 < 10.0.0, 15.5.16

next.js >= 16.0.0, < 16.2.5 < 16.0.0, 16.2.5

References

https://github.com/vercel/next.js/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44577 Data

JSON