CVE-2026-43506
Undergoing Analysis Undergoing Analysis - In Progress
Memory Leak DoS in Prosody Server

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: MITRE

Description
An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory exhaustion caused by memory leaks from unauthenticated connections.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-43506
EUVD
EUVD-2026-26659
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
prosody prosody to 0.12.6 (exc)
prosody prosody From 13.0.0 (inc) to 13.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in Prosody versions before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. It is a Denial of Service (DoS) issue caused by memory exhaustion resulting from memory leaks triggered by unauthenticated connections.

Impact Analysis

The impact of this vulnerability is a Denial of Service condition. An attacker can exploit memory leaks to exhaust system memory, potentially causing the affected Prosody service to crash or become unresponsive, disrupting normal operations.

Detection Guidance

Detection of this vulnerability involves monitoring for unusual memory consumption patterns caused by unauthenticated connections to the Prosody XMPP server. Since the issue is related to memory exhaustion via crafted traffic patterns and resource leaks, network administrators should look for excessive memory usage by the Prosody process and unusually high rates of unauthenticated connection attempts.

Suggested commands include using system monitoring tools to check memory usage and connection rates, for example:

  • Use 'top' or 'htop' to monitor memory usage of the Prosody process.
  • Use 'netstat -anp | grep prosody' or 'ss -anp | grep prosody' to view active connections handled by Prosody.
  • Use 'lsof -p <prosody_pid>' to check open connections and resources.
  • Monitor logs for unusual unauthenticated connection attempts or high connection rates.
Mitigation Strategies

Immediate mitigation steps include upgrading the Prosody XMPP server to version 13.0.5 or later (or 0.12.6 or later for the 0.12 series), where the vulnerability has been fixed.

Additional recommended actions are:

  • Review and adjust firewall limits to restrict the rate of incoming connections to prevent memory exhaustion from unauthenticated traffic.
  • Disable the mod_proxy65 module if it is not needed, as it has related access control vulnerabilities.
  • Ensure LuaExpat is linked against libexpat version 2.7.2 or later to address related memory issues.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43506. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart