CVE-2026-40303
Received Received - Intake
Unbounded Memory Allocation in zrok OAuth Proxy Causes OOM

Publication date: 2026-04-17

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40303
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netfoundry zrok to 2.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the zrok software, which is used for sharing web services, files, and network resources. Before version 2.0.1, the function endpoints.GetSessionCookie improperly handles an attacker-supplied cookie chunk count by allocating memory without any upper limit before validating the token. This flaw can be exploited by an unauthenticated remote attacker sending requests to an OAuth-protected proxy share, causing the software to allocate very large amounts of memory.

Because this function is called on every request to the affected proxies (publicProxy and dynamicProxy), an attacker can repeatedly trigger large memory allocations, leading to process crashes due to out-of-memory (OOM) conditions or repeated goroutine panics.

The issue was fixed in version 2.0.1 of zrok.

Impact Analysis

This vulnerability can cause denial of service (DoS) conditions by allowing an attacker to exhaust the memory resources of the system running zrok. Specifically, an unauthenticated remote attacker can cause the process to terminate unexpectedly due to out-of-memory errors or cause repeated panics in goroutines, disrupting the availability of the service.

Since the vulnerability affects OAuth-protected proxy shares, it can impact the availability of shared web services, files, and network resources that rely on zrok, potentially causing downtime or service interruptions.

Mitigation Strategies

The vulnerability is fixed in zrok version 2.0.1. Immediate mitigation involves upgrading the zrok software to version 2.0.1 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40303. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart