Unauthenticated Out-of-Bounds Read in TDengine Time-Series Database
CVE-2026-62351

7.5HIGH

Key Information:

Vendor

Taosdata

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-62351?

TDengine is a time-series database designed for Internet of Things (IoT) applications. Before version 3.4.1.15, it contained a vulnerability in the transDecompressMsg() function located in source/libs/transport/src/transComm.c. This issue arises when the system processes an RPC packet without first validating its format. An attacker could exploit this vulnerability to trigger an unauthenticated out-of-bounds read, which could lead to uncontrolled memory allocation, integer underflow, and ultimately, a server crash. Users are advised to upgrade to version 3.4.1.15 or later to mitigate these risks.

Affected Version(s)

TDengine < 3.4.1.15

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.