CVE-2026-7572
Analyzed Analyzed - Analysis Complete
Off-by-One Error in Velociraptor Causes DoS via .evtx File

Publication date: 2026-05-06

Last updated on: 2026-06-01

Assigner: Rapid7, Inc.

Description
An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7572
EUVD
EUVD-2026-27516
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rapid7 velociraptor to 0.76.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7572 is an off-by-one error (CWE-193) vulnerability in the Velociraptor EVTX Parser affecting versions up to 0.76.1 on Windows and Linux.

The error exists in the ConsumeUnit16Array and ConsumeUnit64Array functions and can be triggered when a local attacker provides a specially crafted .evtx file to the parse_evtx VQL plugin.

Exploiting this vulnerability causes a Denial of Service (DoS) by crashing the process that parses the EVTX file.

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) by crashing the Velociraptor client process when it parses a specially crafted .evtx file.

Users who parse EVTX files via specific artifacts may experience client crashes that are reported back to the server, potentially disrupting normal operations.

The impact on confidentiality and integrity is low, but availability can be affected due to the process crash.

Detection Guidance

This vulnerability manifests as a Denial of Service (DoS) via a process crash when a specially crafted .evtx file is parsed by the parse_evtx VQL plugin in Velociraptor versions before 0.76.5.

Detection involves monitoring for client crashes related to EVTX file parsing activities, especially those triggered by artifacts that parse EVTX files.

A practical approach is to check Velociraptor client logs for crashes or errors occurring during the execution of parse_evtx VQL plugin or when processing EVTX files.

Using artifacts that collect raw EVTX files for offline parsing (e.g., Windows.Triage.Targets) can help isolate and analyze suspicious EVTX files without triggering the vulnerability.

No specific commands are provided in the available resources for direct detection of this vulnerability.

Mitigation Strategies

The primary mitigation is to upgrade Velociraptor to version 0.76.5 or later, where this off-by-one error vulnerability has been fixed.

As a workaround, avoid using artifacts that parse EVTX files directly with the vulnerable parse_evtx VQL plugin.

Instead, use artifacts that collect raw EVTX files for offline parsing, such as Windows.Triage.Targets, to prevent client crashes caused by maliciously crafted EVTX files.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7572. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart