CVE-2026-33592
Received Received - Intake

Memory Exhaustion in open62541 FindServersRequest

Vulnerability report for CVE-2026-33592, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: ENISA

Description

An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length or array size. An attacker can declare an arbitrarily large string (up to ~3.9 GB) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configuration. TheΒ issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
open62541 open62541 From 1.4.0 (inc) to 1.4.16 (inc)
open62541 open62541 From 1.5.0 (inc) to 1.5.4 (inc)
open62541 open62541 From master (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability allows an unauthenticated remote attacker to exhaust the server's memory by exploiting the FindServers Discovery Service in open62541.

Specifically, the serverUris field of the FindServersRequest is not validated for length or array size, enabling an attacker to declare an arbitrarily large string (up to approximately 3.9 GB) delivered across multiple intermediate chunks without ever sending the final chunk.

The server buffers all these chunks in RAM indefinitely until the SecureChannel times out, leading to memory exhaustion.

This attack occurs before any session is established and bypasses all encryption configurations.

The issue affects open62541 versions from 1.4.0 through 1.4.16, 1.5.0 through 1.5.4, and the master branch.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition by exhausting the server's memory resources.

An attacker can cause the server to consume excessive RAM by sending large, incomplete requests that are buffered indefinitely.

As a result, legitimate users may experience degraded performance or complete unavailability of the affected open62541 server.

Since the attack is unauthenticated and bypasses encryption, it can be executed remotely without any credentials.

Detection Guidance

This vulnerability involves an unauthenticated remote attacker sending an arbitrarily large string in the serverUris field of FindServersRequest, delivered across many intermediate chunks without a final chunk, causing the server to buffer all chunks in RAM indefinitely.

Detection on your network or system would involve monitoring for unusually large or incomplete FindServersRequest messages being sent to the open62541 server, especially those that do not complete and cause memory usage to increase abnormally.

Specific commands or tools are not provided in the available resources or CVE description. However, network traffic analysis tools like Wireshark or tcpdump could be used to capture OPC UA traffic and filter for FindServersRequest messages with large or fragmented serverUris fields.

Additionally, monitoring server memory usage and logs for signs of memory exhaustion or unusually long-lived SecureChannel sessions without completion could help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability, update the open62541 server to a version that includes the fix which enforces default message and chunk size limits.

The fix introduces safe default limits of 512 MB per message and 16,384 chunks when the configuration values tcpMaxMsgSize or tcpMaxChunks are set to zero, preventing attackers from sending excessively large messages or unlimited chunks that exhaust server memory.

If updating immediately is not possible, configure the server to set explicit limits on tcpMaxMsgSize and tcpMaxChunks to reasonable values to prevent unbounded memory usage.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart