CVE-2026-35633
Unbounded Memory Allocation in OpenClaw Remote Media HTTP Handling
Publication date: 2026-04-09
Last updated on: 2026-04-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.3.22 and involves unbounded memory allocation during remote media HTTP error handling.
Attackers can exploit this by sending specially crafted HTTP error responses with very large bodies to remote media endpoints.
As a result, the application allocates excessive amounts of memory before it can handle the failure, potentially leading to resource exhaustion.
How can this vulnerability impact me? :
The primary impact of this vulnerability is excessive memory consumption caused by the application when processing crafted HTTP error responses.
This can lead to application instability or crashes due to resource exhaustion, potentially resulting in denial of service.