CVE-2026-11946
Received Received - Intake

Memory Exhaustion in open62541 via GetEndpointsRequest

Vulnerability report for CVE-2026-11946, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: ENISA

Description

An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32 length field) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configurations. TheΒ issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
open62541 open62541 *
open62541 open62541 From 1.4.0 (inc) to 1.4.16 (inc)
open62541 open62541 From 1.5.0 (inc) to 1.5.4 (inc)
open62541 open62541 From master (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability allows an unauthenticated remote attacker to exhaust the server's memory by exploiting the GetEndpoints Discovery Service in open62541.

Specifically, the endpointUrl field of the GetEndpointsRequest is not validated for length, enabling an attacker to declare an arbitrarily large string (up to approximately 4.09 GB) that is delivered in chunks without ever sending the final chunk.

The server buffers all these chunks in RAM indefinitely until the SecureChannel times out, causing memory exhaustion.

This attack occurs before any session is established and bypasses all encryption configurations.

Impact Analysis

The primary impact of this vulnerability is a denial-of-service (DoS) condition caused by server memory exhaustion.

An attacker can send large, incomplete requests that cause the server to allocate and hold large amounts of memory indefinitely, potentially leading to server crashes or degraded performance.

Since the attack is unauthenticated and pre-session, it can be executed without any credentials or encryption bypass.

Mitigation Strategies

To mitigate this vulnerability in open62541, ensure that the server enforces default message and chunk size limits to prevent denial-of-service attacks.

  • Apply the patch that sets safe default values for tcpMaxMsgSize (512 MB per message) and tcpMaxChunks (16,384 chunks) when these are configured as zero.
  • Verify that your open62541 server version includes the fix implemented in the createServerSecureChannel function, which applies these limits during secure channel creation.

If you are running affected versions (1.4.0 through 1.4.16, 1.5.0 through 1.5.4, or master), upgrade to a patched version or apply the patch from the official repository.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart