denial of service

A critical availability weakness in Go’s standard library — tracked as CVE-2024-34156 — lets an attacker reliably crash a process that decodes untrusted gob data by driving the decoder into stack exhaustion. The flaw is simple in concept but serious in consequence: calling encoding/gob’s...

The open-source Node.js middleware body-parser has a high‑severity denial‑of‑service issue when parsing URL‑encoded request bodies; projects using versions earlier than 1.20.3 should treat this as urgent: upgrade immediately or apply strong mitigations to avoid resource‑exhaustion attacks...

The glibc library’s getaddrinfo implementation suffered a subtle — but operationally important — regression in late 2023 that introduced a memory leak capable of producing denial‑of‑service conditions in networked services: CVE‑2023‑5156 is a memory‑leak bug in getaddrinfo.c, introduced as a...

A subtle but consequential bug in the GNU C Library’s name-resolution path — tracked as CVE-2023-4806 — exposed a rare use‑after‑free in getaddrinfo() that can crash networked applications and, in realistic scenarios, be abused for denial of service. The issue is notable not because it’s easy to...

A critical denial-of-service vulnerability in the libvpx VP9 encoder — tracked as CVE-2023-44488 — allows specially crafted input to crash the encoder in libvpx versions prior to 1.13.1, posing a real availability risk for any service or application that performs VP9 encoding or otherwise embeds...

NASM users should immediately take notice: a segmentation fault bug in the IEEE output writer for NASM 2.16—tracked as CVE-2022-46457—can be triggered by a crafted assembly file and causes the assembler to crash, producing a denial-of-service condition for any workflow that processes untrusted...

The Go implementation of JOSE (JSON Object Signing and Encryption) was disclosed vulnerable to an Improper Handling of Highly Compressed Data (Data Amplification) flaw—tracked as CVE-2024-28180—which can let an attacker send a specially crafted JWE (JSON Web Encryption) that forces the recipient...

The discovery of CVE-2024-2494 exposed a simple but dangerous class of bug inside libvirt’s RPC deserialization: a negative array length read from an attacker-controlled RPC message can be passed to GLib’s g_new0 allocator and — because the negative value is interpreted as a very large unsigned...

A subtle bug in QEMU’s eepro100 network device emulator — tracked as CVE-2021-20255 — can drive the host-side QEMU process into an infinite recursion and stack overflow when the guest triggers a specific DMA reentry condition, allowing a guest user or process to exhaust CPU cycles or crash the...

An innocuous-looking three-character input — the Standard ML token exception — quietly exposed a logic flaw in the popular Python syntax-highlighting library Pygments, allowing attackers to force an infinite loop in the SML lexer and cause a denial-of-service condition across any system that...

A subtle bug in QEMU’s built‑in VNC server — tracked as CVE‑2023‑3354 — can be triggered by a remote, unauthenticated client and force a denial‑of‑service through a NULL pointer dereference during the TLS handshake, making this a high‑impact availability flaw that virtualization administrators...

A critical denial‑of‑service vulnerability in the widely used Python HTTP framework aiohttp lets a remote, unauthenticated attacker stop an application from serving requests by sending a single specially crafted multipart/form-data POST. The flaw — tracked as CVE‑2024‑30251 and fixed in aiohttp...

A subtle bug in Go’s standard library quietly opened a door for denial-of-service attacks: malformed ZIP entries could cause archive/zip’s Reader.Open to panic, crashing programs that relied on the io/fs.FS integration introduced in Go 1.16. The issue, tracked as CVE-2021-41772 (GO-2021-0264)...

The Verify function in Go’s crypto/dsa implementation (crypto/dsa/dsa.go) contained an input‑validation flaw that could be weaponized to force an application into an infinite loop and an effective denial‑of‑service; the bug was tracked as CVE‑2016‑3959 and fixed in the emergency releases Go...

A null-pointer dereference in a compact C JSON library has quietly become a textbook reminder that tiny dependencies can create outsized operational risk: CVE-2024-31755 identifies a segmentation violation in cJSON v1.7.17 that can be triggered when the second parameter to cJSON_SetValuestring...

PHP’s mb_encode_mimeheader() can be weaponized to deny service: the bug tracked as CVE‑2024‑2757 causes the function to enter an endless loop when fed specially crafted header text, allowing an attacker to tie up PHP worker processes and render mail‑handling components or web endpoints...

On April 4, 2024 the QUIC ecosystem faced a high‑severity availability risk when researchers disclosed CVE‑2024‑22189: a memory‑exhaustion flaw in the popular Go implementation quic‑go that lets a remote attacker force a peer to consume unbounded memory by abusing QUIC’s Connection ID...

A reachable assertion in QEMU’s SCTP checksum routine can be triggered from a guest and drop the host-side QEMU process, producing a reliability- and availability-impacting denial-of-service that operators should treat as urgent: CVE-2024-3567 is a net-layer assertion failure in...

A newly disclosed bug in the JasPer image library — tracked as CVE-2024-31744 — allows a specially crafted image to trigger an assertion failure in the JPC decoder and crash programs that use the library, producing a high‑impact denial‑of‑service (DoS) condition unless patched. Overview JasPer...

Rustls—the widely used, memory-safe TLS library written in Rust—contains a denial‑of‑service design flaw: under a specific, easily reproducible handshake sequence a blocking rustls server can enter an infinite loop inside rustls::conn::ConnectionCommon::complete_io(), consuming CPU and...