CVE-2026-57220
Received Received - Intake

RabbitMQ Stream Frame Size Limit Bypass

Vulnerability report for CVE-2026-57220, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

RabbitMQ is a messaging and streaming broker. Prior to 4.2.6, the RabbitMQ stream listener does not enforce the configured stream frame-size limit while assembling frames during authentication and before Tune negotiation, allowing an unauthenticated remote client to declare oversized frame lengths and consume broker memory in rabbit_stream_core. This issue is fixed in version 4.2.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rabbitmq rabbitmq to 4.2.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

The vulnerability can impact you by allowing an unauthenticated remote attacker to consume excessive memory resources on the RabbitMQ broker. This can lead to denial of service conditions, where the broker becomes unresponsive or crashes due to memory exhaustion.

Mitigation Strategies

To mitigate this vulnerability, upgrade RabbitMQ to version 4.2.6 or later, where the issue is fixed.

Compliance Impact

The vulnerability allows an unauthenticated remote client to declare oversized frame lengths and consume broker memory, potentially leading to denial of service. However, there is no information provided about any impact on confidentiality or integrity of data, or on personal data processing.

Since the vulnerability does not affect confidentiality or integrity, and only availability is impacted, its direct effect on compliance with standards like GDPR or HIPAAβ€”which primarily focus on protecting personal data confidentiality and integrityβ€”is unclear based on the provided information.

Executive Summary

This vulnerability exists in RabbitMQ versions prior to 4.2.6, specifically in the stream listener component. The issue is that the stream listener does not enforce the configured stream frame-size limit while assembling frames during authentication and before Tune negotiation. This allows an unauthenticated remote client to declare oversized frame lengths, which can lead to excessive consumption of broker memory in the rabbit_stream_core component.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57220. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart