CVE-2026-30873
Memory Leak in OpenWrt jp_get_token Function Causes Resource Exhaustion
Publication date: 2026-03-19
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openwrt | openwrt | to 24.10.6 (exc) |
| openwrt | openwrt | From 25.12.0 (inc) to 25.12.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the OpenWrt Project's jp_get_token function, which is responsible for breaking input expressions into tokens. In versions prior to 24.10.6 and 25.12.1, when extracting string literals, field labels, and regular expressions, the function uses dynamic memory allocation but fails to free the original memory after copying the data to a new jp_opcode object. This results in a memory leak.
How can this vulnerability impact me? :
The memory leak caused by this vulnerability can lead to increased memory usage over time, potentially degrading system performance or causing the device to run out of memory. This can affect the stability and reliability of embedded devices running vulnerable versions of OpenWrt.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your OpenWrt system to version 24.10.6 or 25.12.1 or later, where the memory leak issue in the jp_get_token function has been fixed.