CVE-2026-42542
Received Received - Intake
Unauthenticated RPC Packet Crash in TDengine

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
TDengine is an open source, time-series database optimized for Internet of Things devices. In versions 3.4.0.0 through 3.4.1.5, an unauthenticated remote attacker can crash the taosd server process by sending a single crafted RPC packet. No credentials or prior session state are required. Version 3.4.1.6 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-42542
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tdengine tdengine From 3.4.0.0 (inc) to 3.4.1.5 (inc)
tdengine tdengine 3.4.1.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an unauthenticated remote attacker to crash the TDengine server process, causing a denial of service. However, it does not impact confidentiality or integrity of data.

Since the vulnerability does not lead to unauthorized access or data leakage, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA.

Nevertheless, the availability impact (denial of service) could affect service continuity obligations under some regulations, depending on the context of use.

Executive Summary

This vulnerability affects TDengine, an open source time-series database optimized for Internet of Things devices. In versions 3.4.0.0 through 3.4.1.5, an unauthenticated remote attacker can crash the taosd server process by sending a single specially crafted RPC packet. This means that no credentials or prior session state are required to exploit this issue. The problem is fixed in version 3.4.1.6.

Impact Analysis

The vulnerability allows an unauthenticated remote attacker to cause a denial of service by crashing the taosd server process. This can disrupt the availability of the TDengine database service, potentially impacting applications and systems that rely on it for time-series data, especially in Internet of Things environments.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade TDengine to version 3.4.1.6 or later, as this version fixes the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42542. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart