CVE-2026-57220: CWE-770: Allocation of Resources Without Limits or Throttling in rabbitmq rabbitmq-server
CVE-2026-57220 is a vulnerability in RabbitMQ server prior to version 4.2.6 where the stream listener does not enforce the configured stream frame-size limit during authentication and before Tune negotiation. This allows an unauthenticated remote client to declare oversized frame lengths, leading to excessive memory consumption in the broker's stream core component. The issue is fixed in RabbitMQ version 4.2.6.
AI Analysis
Technical Summary
RabbitMQ server versions before 4.2.6 contain a resource allocation vulnerability (CWE-770) in the stream listener component. During the authentication phase and before Tune negotiation, the server fails to enforce the configured stream frame-size limit while assembling frames. This flaw permits unauthenticated remote clients to specify oversized frame lengths, which can cause the broker to consume excessive memory in the rabbit_stream_core module. This vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity due to its potential to cause denial of service by resource exhaustion. The issue is resolved in RabbitMQ version 4.2.6.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to cause excessive memory consumption on the RabbitMQ broker, potentially leading to denial of service conditions. There is no impact on confidentiality or integrity reported. The primary impact is availability degradation due to resource exhaustion.
Mitigation Recommendations
This vulnerability is fixed in RabbitMQ version 4.2.6. Users should upgrade to version 4.2.6 or later to remediate this issue. No other mitigation or temporary workaround is indicated. Patch status is not explicitly stated in the vendor advisory, but the fix is confirmed in version 4.2.6.
CVE-2026-57220: CWE-770: Allocation of Resources Without Limits or Throttling in rabbitmq rabbitmq-server
Description
CVE-2026-57220 is a vulnerability in RabbitMQ server prior to version 4.2.6 where the stream listener does not enforce the configured stream frame-size limit during authentication and before Tune negotiation. This allows an unauthenticated remote client to declare oversized frame lengths, leading to excessive memory consumption in the broker's stream core component. The issue is fixed in RabbitMQ version 4.2.6.
CVSS v3.1
Score 7.5high
Affected software
pkg:github/rabbitmq/rabbitmq-serverRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
RabbitMQ server versions before 4.2.6 contain a resource allocation vulnerability (CWE-770) in the stream listener component. During the authentication phase and before Tune negotiation, the server fails to enforce the configured stream frame-size limit while assembling frames. This flaw permits unauthenticated remote clients to specify oversized frame lengths, which can cause the broker to consume excessive memory in the rabbit_stream_core module. This vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity due to its potential to cause denial of service by resource exhaustion. The issue is resolved in RabbitMQ version 4.2.6.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to cause excessive memory consumption on the RabbitMQ broker, potentially leading to denial of service conditions. There is no impact on confidentiality or integrity reported. The primary impact is availability degradation due to resource exhaustion.
Mitigation Recommendations
This vulnerability is fixed in RabbitMQ version 4.2.6. Users should upgrade to version 4.2.6 or later to remediate this issue. No other mitigation or temporary workaround is indicated. Patch status is not explicitly stated in the vendor advisory, but the fix is confirmed in version 4.2.6.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-24T02:21:33.810Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a515a8d68715ace432d835b
Added to database: 07/10/2026, 20:48:13 UTC
Last enriched: 07/10/2026, 21:02:33 UTC
Last updated: 07/10/2026, 21:41:11 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.