CVE-2026-59803
Received Received - Intake

Denial-of-Service in rpcx via Unbounded Gzip Decompression

Vulnerability report for CVE-2026-59803, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode (protocol/message.go). When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in size guard, protocol.MaxMessageLength, is checked against the compressed on-the-wire frame length, not the decompressed size, so it provides no protection. Because decoding (and decompression) occurs in readRequest before authentication, a single unauthenticated connection can send a small (under 2 MB) gzip-compressed message that expands to gigabytes of heap allocation, leading to out-of-memory conditions and service unavailability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
smallnest rpcx to 1.9.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in rpcx allows an unauthenticated attacker to cause a denial-of-service by sending a small gzip-compressed message that decompresses into a very large memory allocation, leading to service unavailability.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, denial-of-service vulnerabilities can impact the availability requirement of these regulations.

Specifically, GDPR and HIPAA require organizations to ensure the availability of systems processing personal or sensitive data. A successful denial-of-service attack exploiting this vulnerability could disrupt service availability, potentially leading to non-compliance with these regulations.

Therefore, this vulnerability poses a risk to compliance by threatening system availability, a key aspect of many security and privacy standards.

Executive Summary

CVE-2026-59803 is a denial-of-service vulnerability in the rpcx library (up to version 1.9.3) caused by improper handling of gzip-compressed messages. When a message has the compression flag set, the payload is decompressed without any limit on the decompressed size. The existing size check only verifies the compressed message size, not the decompressed size, allowing a small compressed message (under 2 MB) to expand into gigabytes of memory during decompression.

Because decompression happens before authentication, an unauthenticated attacker can send a maliciously crafted small compressed message that decompresses into a very large payload, causing excessive memory allocation, leading to out-of-memory conditions and service unavailability.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by exhausting server memory. An attacker can send a small compressed request that decompresses into a very large payload, causing the server to allocate gigabytes of memory. This can lead to out-of-memory kills or crashes, making the service unavailable to legitimate users.

Since the decompression occurs before any authentication or service lookup, even systems with authentication enabled are vulnerable. The attack affects all primary transport protocols supported by rpcx (TCP, KCP, QUIC, Unix socket) and is independent of backend or serialization codec.

Detection Guidance

This vulnerability involves an unauthenticated gzip decompression bomb attack where a small compressed message (under 2 MB) decompresses to gigabytes of memory usage, causing denial-of-service. Detection involves monitoring for unusually large memory allocations or out-of-memory conditions triggered by small incoming gzip-compressed payloads before authentication.

Since the decompression happens before authentication and service lookup, network detection can focus on identifying small gzip-compressed messages that decompress to unexpectedly large sizes.

Specific commands or tools to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation is to upgrade the rpcx library to a version that includes the fix from commit 047aec1, which introduces decompression size limits.

The fix adds a new package-level variable `MaxDecompressedLength` to cap the maximum decompressed payload size, preventing decompression bombs.

Server operators should configure the server with options such as `WithMaxDecompressedLength` and `WithMaxMessageLength` to enforce limits on decompressed and compressed message sizes.

Setting a reasonable decompression size limit (for example, 64MB) will help reject payloads that decompress beyond this threshold, mitigating the risk of out-of-memory conditions.

Until the fix is applied, be aware that the existing `protocol.MaxMessageLength` only limits compressed size and does not protect against this attack.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59803. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart