CVE-2026-7572
Off-by-One Error in Velociraptor Causes DoS via .evtx File
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: Rapid7, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| velocidex | velociraptor | to 0.76.1 (inc) |
| velocidex | velociraptor | From 0.76.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-193 | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7572 is an off-by-one error (CWE-193) vulnerability in the Velociraptor EVTX Parser affecting versions up to 0.76.1 on Windows and Linux.
The error exists in the ConsumeUnit16Array and ConsumeUnit64Array functions and can be triggered when a local attacker provides a specially crafted .evtx file to the parse_evtx VQL plugin.
Exploiting this vulnerability causes a Denial of Service (DoS) by crashing the process that parses the EVTX file.
How can this vulnerability impact me? :
This vulnerability can cause a Denial of Service (DoS) by crashing the Velociraptor client process when it parses a specially crafted .evtx file.
Users who parse EVTX files via specific artifacts may experience client crashes that are reported back to the server, potentially disrupting normal operations.
The impact on confidentiality and integrity is low, but availability can be affected due to the process crash.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a Denial of Service (DoS) via a process crash when a specially crafted .evtx file is parsed by the parse_evtx VQL plugin in Velociraptor versions before 0.76.5.
Detection involves monitoring for client crashes related to EVTX file parsing activities, especially those triggered by artifacts that parse EVTX files.
A practical approach is to check Velociraptor client logs for crashes or errors occurring during the execution of parse_evtx VQL plugin or when processing EVTX files.
Using artifacts that collect raw EVTX files for offline parsing (e.g., Windows.Triage.Targets) can help isolate and analyze suspicious EVTX files without triggering the vulnerability.
No specific commands are provided in the available resources for direct detection of this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Velociraptor to version 0.76.5 or later, where this off-by-one error vulnerability has been fixed.
As a workaround, avoid using artifacts that parse EVTX files directly with the vulnerable parse_evtx VQL plugin.
Instead, use artifacts that collect raw EVTX files for offline parsing, such as Windows.Triage.Targets, to prevent client crashes caused by maliciously crafted EVTX files.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.