CVE-2026-33241 is a resource exhaustion vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the Salvo Rust web framework versions prior to 0.89.3. The vulnerability exists in the form data parsing implementations, specifically the `form_data()` method and the `Extractible` macro, which fail to enforce any payload size restrictions before reading HTTP request bodies into memory. An attacker can exploit this by sending an excessively large form data payload, causing the server to allocate large amounts of memory without bounds. This leads to Out-of-Memory (OOM) conditions, crashing the service and resulting in denial of service. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it highly accessible to attackers. The CVSS 4.0 base score is 8.7 (high), reflecting the network attack vector, no required privileges or user interaction, and a high impact on availability. The issue was resolved in Salvo version 0.89.3 by introducing payload size limits during form data parsing, preventing uncontrolled memory allocation. No public exploits are known at this time, but the vulnerability poses a significant risk to any web applications using vulnerable Salvo versions for handling form data.

The primary impact of CVE-2026-33241 is denial of service due to server crashes caused by memory exhaustion. Organizations running web applications built on vulnerable versions of the Salvo framework risk service outages when attackers send large payloads to exhaust server memory. This can disrupt business operations, degrade user experience, and potentially lead to cascading failures in dependent systems. Since the vulnerability does not require authentication or user interaction, it can be exploited by any remote attacker, increasing the attack surface. High-availability services and critical infrastructure relying on Salvo for web request handling are particularly at risk. Additionally, repeated exploitation attempts could increase operational costs due to resource consumption and incident response. Although no data confidentiality or integrity impacts are indicated, the availability impact alone can be severe, especially for public-facing services.

To mitigate CVE-2026-33241, organizations should immediately upgrade all Salvo framework instances to version 0.89.3 or later, which includes the patch enforcing payload size limits during form data parsing. Until upgrades can be applied, implement network-level protections such as rate limiting, request size restrictions, and web application firewalls (WAFs) to block or throttle excessively large HTTP requests targeting form data endpoints. Monitoring for unusual spikes in request sizes or memory usage can help detect attempted exploitation. Developers should review application code to ensure no other unbounded resource allocations exist in request handling. Additionally, deploying resource quotas and memory limits at the container or operating system level can help contain the impact of potential attacks. Regularly updating dependencies and maintaining an inventory of framework versions in use will aid in timely vulnerability management.