CVE-2026-45078
Synapse Denial of Service via CPU Starvation
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| matrix | synapse | to 1.152.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45078 is a vulnerability in Synapse, an open source Matrix homeserver implementation. Prior to version 1.152.1, local authenticated users can exploit this issue to consume excessive CPU resources.
This excessive CPU consumption starves other requests of processing time, causing those requests to fail and resulting in denial of service for other users.
The vulnerability has been fixed in Synapse version 1.152.1.
How can this vulnerability impact me? :
This vulnerability can lead to denial of service on a Synapse homeserver by allowing local authenticated users to consume excessive CPU resources.
As a result, other users' requests may fail because the server is starved of CPU, causing service disruption.
Homeservers that trust all local users are not at risk, but those that do not may be vulnerable.
A workaround is to deploy Synapse behind a reverse proxy configured to limit request rates, mitigating the attack until the patch is applied.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves local authenticated users causing Synapse to consume excessive CPU resources, leading to denial of service for other users.
Detection can focus on monitoring CPU usage patterns on the Synapse server, especially looking for unusually high CPU consumption by local user requests.
While no specific commands are provided, general commands to monitor CPU usage and processes on the server include:
- Using top or htop to observe CPU usage in real time.
- Using ps aux --sort=-%cpu to list processes consuming the most CPU.
- Checking Synapse logs for unusual request patterns or errors indicating request starvation.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Synapse version 1.152.1. The primary mitigation step is to upgrade Synapse to version 1.152.1 or later.
As an immediate workaround, if Synapse is deployed behind a reverse proxy, configure the proxy to limit request rates to mitigate the attack.
Additionally, consider restricting or monitoring local authenticated user access if possible, since the vulnerability requires local authenticated users.