CVE-2026-49140
Matrix Media Download DoS in Nanobot
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Nanobot versions prior to 0.2.1 and involves a denial of service issue in the Matrix channel media download handler. Authenticated room members can exploit it by sending media events with missing or invalid size metadata. By sending multiple such events concurrently, attackers can trigger large media downloads that fully materialize response bodies before rejecting them, which exhausts process memory and bandwidth.
How can this vulnerability impact me? :
The impact of this vulnerability is service degradation due to exhaustion of process memory and bandwidth. Attackers can cause denial of service by overwhelming the system with large media downloads triggered by malformed media events, potentially disrupting normal operations and availability of the affected service.