Unauthenticated Out-of-Bounds Read in TDengine Time-Series Database
CVE-2026-62351
7.5HIGH
What is CVE-2026-62351?
TDengine is a time-series database designed for Internet of Things (IoT) applications. Before version 3.4.1.15, it contained a vulnerability in the transDecompressMsg() function located in source/libs/transport/src/transComm.c. This issue arises when the system processes an RPC packet without first validating its format. An attacker could exploit this vulnerability to trigger an unauthenticated out-of-bounds read, which could lead to uncontrolled memory allocation, integer underflow, and ultimately, a server crash. Users are advised to upgrade to version 3.4.1.15 or later to mitigate these risks.
Affected Version(s)
TDengine < 3.4.1.15
