Source: open62541 Version: 1.4.11.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for open62541. CVE-2026-11946[0]: | An unauthenticated remote attacker can exhaust server memory via the | GetEndpoints Discovery Service in open62541. The endpointUrl field | of GetEndpointsRequest is not validated for length. An attacker can | declare an arbitrarily large string (up to ~4.09 GB via the UInt32 | length field) delivered across intermediate chunks without ever | sending the final chunk. The server buffers all chunks in RAM | indefinitely until the SecureChannel times out. The attack is pre- | session and bypasses all encryption configurations. The issue | affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through | 1.5.4, master. CVE-2026-33592[1]: | An unauthenticated remote attacker can exhaust server memory via the | FindServers Discovery Service in open62541. The serverUris field of | FindServersRequest is not validated for length or array size. An | attacker can declare an arbitrarily large string (up to ~3.9 GB) | delivered across intermediate chunks without ever sending the final | chunk. The server buffers all chunks in RAM indefinitely until the | SecureChannel times out. The attack is pre-session and bypasses all | encryption configuration. The issue affects open62541: from 1.4.0 | through 1.4.16, from 1.5.0 through 1.5.4, master. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-11946 https://www.cve.org/CVERecord?id=CVE-2026-11946 [1] https://security-tracker.debian.org/tracker/CVE-2026-33592 https://www.cve.org/CVERecord?id=CVE-2026-33592 [2] https://github.com/open62541/open62541/pull/8142 [3] https://github.com/open62541/open62541/commit/c9563e8ea4a8db2f64059c8ff7efe0b49a35bea3 Regards, Salvatore

