denial of service

CISA added CVE-2026-28318, an actively exploited SolarWinds Serv-U uncontrolled resource consumption flaw, to its Known Exploited Vulnerabilities catalog on June 5, 2026, warning federal agencies and private defenders that exposed file-transfer infrastructure now belongs at the front of the...

CVE-2026-40355 is a denial-of-service flaw disclosed in MIT Kerberos 5 before version 1.22.3, affecting systems where an application accepts GSSAPI security contexts and a NegoEx mechanism is registered in /etc/gss/mech, allowing an unauthenticated remote attacker to crash the process. The bug...

CVE-2026-40356 is a denial-of-service vulnerability in MIT Kerberos 5 before version 1.22.3, disclosed in April 2026, affecting applications that call gss_accept_sec_context() on systems where a NegoEx mechanism is registered in /etc/gss/mech. That dry sentence hides the practical problem: this...

Microsoft has listed CVE-2026-29181 as a high-severity denial-of-service flaw in OpenTelemetry-Go, affecting versions 1.36.0 through 1.40.0 and fixed in 1.41.0, where repeated multi-value baggage HTTP headers can trigger excessive CPU work and memory allocation in instrumented Go services. The...

Microsoft’s Security Update Guide lists CVE-2026-43896 as a jq denial-of-service vulnerability disclosed in May 2026, affecting jq 1.8.1 and earlier when recursive object merges can trigger unbounded recursion and crash the process. That sounds narrow until you remember where jq lives: in shell...

CVE-2026-46138 is a Linux kernel Bluetooth vulnerability published by NVD on May 28, 2026, after kernel.org assigned a CVE to an out-of-bounds read and potential infinite loop in the hci_le_create_big_complete_evt() event handler. The bug is not a Windows vulnerability, but it matters to...

CVE-2026-46003 is a newly published Linux kernel denial-of-service flaw, disclosed by NVD on May 27, 2026, in the QRTR nameserver code used around Qualcomm IPC Router networking, where unbounded node registration could allow memory exhaustion. The fix is almost comically small: cap the total...

Linux kernel maintainers disclosed CVE-2026-46102 on May 27, 2026, after fixing a stream parser bug in which aborted message assembly could leave a partially built socket buffer referenced and repeatedly leak memory. The flaw is not a flashy remote-code-execution headline, and NVD had not yet...

CVE-2026-8711 is a high-severity NGINX JavaScript vulnerability disclosed in May 2026 that can let an unauthenticated network attacker crash NGINX worker processes when js_fetch_proxy uses client-controlled variables and JavaScript handlers call ngx.fetch(). The headline risk is denial of...

CVE-2026-4890 is a high-severity dnsmasq denial-of-service vulnerability disclosed on May 11, 2026, in which a remote attacker can use a crafted DNS packet against DNSSEC validation to make the resolver unavailable, affecting Linux distributions, appliances, and embedded network products that...

CVE-2026-43620 is a newly disclosed rsync denial-of-service vulnerability affecting versions before 3.4.3, published May 20, 2026, in which a malicious sender-side peer can crash a pulling rsync client through an out-of-bounds array read in recv_files(). The headline sounds narrow, but the...

CVE-2026-7790 is a high-severity denial-of-service flaw published in May 2026 in ninenines cowlib, affecting versions from 0.6.0 before 2.16.1, where oversized HTTP chunk-size fields can force excessive CPU and memory use in exposed Erlang-based services. The bug is not a Windows vulnerability...

CVE-2026-43029 is a Linux kernel denial-of-service vulnerability, published by NVD on May 1, 2026, in which Multipath TCP receive handling can spin indefinitely when an application reads with MSG_PEEK | MSG_WAITALL, producing a soft lockup and high availability impact. The bug is not a...

CVE-2026-43491 is a newly published Linux kernel vulnerability, added to NVD on May 19, 2026, in the Qualcomm IPC Router name service code, where an unbounded stream of server registrations from a malicious client can exhaust kernel memory. The fix is not glamorous: cap registrations at 256 per...

CVE-2026-31767 is a Linux kernel vulnerability published on May 1, 2026, affecting Intel’s i915 DSI display path, where a faulty Display Stream Compression timing adjustment can trigger a local divide-by-zero crash on certain systems. The bug is rated medium severity, not because it opens a...

Microsoft disclosed CVE-2026-40413, a Windows TCP/IP denial-of-service vulnerability, in its May 12, 2026 Patch Tuesday release, rating it Important with a CVSS base score of 7.4 and listing no known public disclosure or exploitation at release. The dry wording hides the real operational point...

Microsoft disclosed CVE-2026-34339, a Windows Lightweight Directory Access Protocol denial-of-service vulnerability, in its May 12, 2026 Patch Tuesday release, adding it to a 137-CVE Microsoft security batch that also includes Windows TCP/IP, Netlogon, DNS, Hyper-V, Office, Edge, Azure, and...

Microsoft disclosed CVE-2026-40405 on May 12, 2026, as an Important-rated Windows TCP/IP denial-of-service vulnerability caused by a null pointer dereference that lets an unauthenticated attacker deny service over the network on affected Windows 11 and Windows Server 2025 systems. The...

Microsoft disclosed CVE-2026-35424 on May 12, 2026, as a Windows Internet Key Exchange protocol denial-of-service vulnerability, affecting systems that expose IKE/IPsec negotiation paths used by VPNs, secure tunnels, and policy-driven encrypted network communications. The advisory does not make...

CVE-2026-43308 is a newly published Linux kernel vulnerability, recorded by NVD on May 8, 2026, covering a Btrfs fix that replaces a kernel-crashing BUG() in run_one_delayed_ref() with ordinary error handling and logging when an unexpected delayed-reference type appears. That sounds almost...