CVE-2026-44982
Received Received - Intake

Buffer Overflow in CrowdSec WAF Request Handling

Vulnerability report for CVE-2026-44982, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

CrowdSec offers crowdsourced protection against malicious IPs. From 1.5.0 until 1.7.8, pkg/appsec/request.go NewParsedRequestFromRequest allocated a request body buffer from max(r.ContentLength, 0), so HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests without a content-length header produced an empty body and caused WAF rules targeting REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML to be skipped. This issue is fixed in version 1.7.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
crowdsec crowdsec 1.5.0
crowdsec crowdsec to 1.7.7 (inc)
crowdsec crowdsec From 1.5.0 (inc) to 1.7.8 (inc)
crowdsec crowdsec 1.7.8

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44982 is a vulnerability in CrowdSec's Web Application Firewall (WAF) affecting versions 1.5.0 to 1.7.7. It occurs when HTTP/1.1 requests use Transfer-Encoding: chunked or HTTP/2 requests lack a content-length header. The parser allocates a zero-length buffer, causing the request body to be dropped silently. This prevents WAF rules targeting the body (like REQUEST_BODY or JSON) from inspecting malicious payloads, allowing them to bypass security checks.

Detection Guidance

To detect this vulnerability, monitor for HTTP requests with Transfer-Encoding: chunked or HTTP/2 requests without a Content-Length header that bypass WAF inspection. Check CrowdSec logs for skipped rule evaluations targeting REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML. Ensure CrowdSec is updated to version 1.7.8 or later to address the issue.

Impact Analysis

An unauthenticated attacker could exploit this to bypass WAF protections by sending specially crafted requests. Malicious payloads in the body (e.g., SQL injection, XSS) would evade detection since the WAF cannot inspect the dropped body. This could lead to unauthorized access, data breaches, or further attacks on your systems.

Compliance Impact

This vulnerability could violate compliance requirements that mandate WAF protections for sensitive data (e.g., GDPR's data protection measures or HIPAA's security rules). Bypassing WAF rules may result in unauthorized data exposure, failing audits and leading to legal or regulatory penalties.

Mitigation Strategies
  • Upgrade CrowdSec to version 1.7.8 or later to fix the request body parsing issue.
  • Review and update WAF rules to ensure they do not rely solely on request body inspection for critical security checks.
  • Monitor network traffic for suspicious requests with missing or malformed Content-Length headers.
  • Implement additional network-level protections to detect and block anomalous HTTP requests.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44982. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart