CVE-2026-49140
Deferred Deferred - Pending Action
Matrix Media Download DoS in Nanobot

Publication date: 2026-06-01

Last updated on: 2026-06-02

Assigner: VulnCheck

Description
Nanobot prior to version 0.2.1 contains a denial of service vulnerability in the Matrix channel media download handler that allows authenticated room members to exhaust process memory and bandwidth by sending media events with missing or invalid size metadata. Attackers can send multiple concurrent Matrix media events with omitted or invalid declared sizes to trigger simultaneous large media downloads that fully materialize response bodies before post-download rejection, consuming process resources until service degradation occurs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-20
NVD
CVE-2026-49140
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hkuds nanobot to 0.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Nanobot versions prior to 0.2.1 and involves a denial of service issue in the Matrix channel media download handler. Authenticated room members can exploit it by sending media events with missing or invalid size metadata. By sending multiple such events concurrently, attackers can trigger large media downloads that fully materialize response bodies before rejecting them, which exhausts process memory and bandwidth.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

The impact of this vulnerability is service degradation due to exhaustion of process memory and bandwidth. Attackers can cause denial of service by overwhelming the system with large media downloads triggered by malformed media events, potentially disrupting normal operations and availability of the affected service.

Detection Guidance

This vulnerability involves denial of service caused by authenticated room members sending media events with missing or invalid size metadata, leading to resource exhaustion during media downloads.

Detection can focus on monitoring for unusual or excessive media download activity in the Matrix channel, especially events with missing or invalid size metadata.

Since the vulnerability triggers by sending multiple concurrent media events with omitted or invalid declared sizes, network or system logs can be inspected for such anomalous media events.

Specific commands are not provided in the resources, but general approaches include:

  • Monitoring logs for media events lacking valid size metadata.
  • Using network traffic analysis tools (e.g., tcpdump, Wireshark) to identify large or repeated media downloads from Matrix channels.
  • Checking process memory and bandwidth usage spikes correlated with Matrix media downloads.
Mitigation Strategies

The primary mitigation is to update Nanobot to version 0.2.1 or later, where the vulnerability has been fixed.

The fix includes rejecting media events with missing or invalid size metadata before downloading, enforcing streaming downloads with byte caps, and limiting concurrent media downloads to prevent resource exhaustion.

Until updating, consider restricting authenticated users' ability to send media events or monitoring and limiting concurrent media downloads manually.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49140. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart