CVE-2026-42886
Memory Exhaustion in Audiobookshelf via ZIP Upload
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| audiobookshelf | audiobookshelf | to 2.32.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-409 | The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42886 is a memory amplification denial-of-service (DoS) vulnerability in the Audiobookshelf application versions prior to 2.32.2. It occurs in the backup upload functionality, specifically at the POST /api/backups/upload endpoint.
The vulnerability arises because the 'details' entry from an uploaded .audiobookshelf ZIP file is decompressed entirely into memory without any limit on its decompressed size. Additionally, the upload middleware does not impose any file size limits.
An attacker with admin privileges can exploit this by uploading a specially crafted ZIP file containing a highly compressed 'details' entry. When decompressed, this entry consumes hundreds of megabytes or even gigabytes of memory, causing the server process to crash due to out-of-memory errors.
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service condition by crashing the Audiobookshelf server process through out-of-memory errors.
Since the decompression consumes excessive memory, it can disrupt service availability, potentially leading to downtime or degraded performance.
Exploitation requires admin privileges, so the impact is limited to users who already have high-level access, but it can still be used maliciously to disrupt operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for out-of-memory (OOM) crashes or unusually high memory usage on the audiobookshelf server process, especially when handling backup uploads.
Since the issue arises from the POST /api/backups/upload endpoint processing large or crafted ZIP files, you can inspect logs or network traffic for large or suspicious backup upload requests.
Suggested commands to detect potential exploitation or symptoms include:
- Use system monitoring tools like 'top' or 'htop' to observe memory usage spikes of the audiobookshelf process.
- Check system logs for OOM killer events: `dmesg | grep -i 'out of memory'` or `journalctl -k | grep -i oom`.
- Inspect web server or application logs for POST requests to /api/backups/upload with large payloads.
- Use network monitoring tools like 'tcpdump' or 'wireshark' to capture and analyze HTTP POST requests to the backup upload endpoint.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade audiobookshelf to version 2.32.2 or later, where this vulnerability is fixed.
Additional immediate steps include:
- Implement size checks on the 'details' entry within uploaded ZIP files to limit decompression size (e.g., restrict to 10MB).
- Configure the upload middleware to enforce a maximum file size limit (e.g., 4GB) to prevent arbitrarily large uploads.
- Restrict admin user access to trusted personnel only, as exploitation requires admin privileges.
- Monitor server memory usage and logs for signs of exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.