Threats Tagged 'cwe-404'

CVE-2026-45174 is a high-severity vulnerability in the Idira Endpoint Privilege Manager Linux Agent version 26.0. It involves improper resource shutdown or release, potentially allowing a local attacker to compromise the agent daemon initialization. The vulnerability is identified as CWE-404. No official patch or remediation level has been provided yet by the vendor. There are no known exploits in the wild at this time.

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. In versions 0.8.2 and prior, Boxlite allows users to configure a timeout for services running inside the virtual machine. When the timeout is triggered, Boxlite sends a signal to kill the process. However, instead of using the uncatchable SIGKILL signal, Boxlite uses the catchable SIGALRM signal. Malicious code running inside the sandbox can exploit this vulnerability to continue running after the timeout is triggered, leading to resource exhaustion within the virtual machine and affecting the availability of the Boxlite service. This issue has been patched via commit 28159fc.

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

CVE-2026-45090 is a race condition vulnerability in hahwul dalfox versions prior to 2.13.0. The issue arises because two sequential worker stages write to the same results channel, which is closed after the first stage, causing the second stage to write to a closed channel. This triggers a Go runtime panic that crashes the dalfox process. In server mode, this crash can be remotely triggered by unauthenticated callers via the REST API if the default configuration is used without an API key and the attacker supplies POST-body data that is reflected by the target. The vulnerability is fixed in version 2.13.0.

CVE-2026-8745 is a medium severity vulnerability in Open5GS versions up to 2.7.7. It affects the ogs_timer_add function within the AUSF component, specifically in the /src/ausf/nausf-handler.c library. The vulnerability allows a remote attacker to cause a denial of service by manipulating this function. Although an exploit is publicly available, there are no known exploits in the wild at this time. The Open5GS project has been informed but has not yet responded or provided a patch.

CVE-2026-40136 is a vulnerability in SAP Financial Consolidation (version FINANCE 1010) that allows an authenticated attacker to temporarily disconnect other users by terminating their sessions. This results in a temporary denial of service for those users but does not compromise the application itself. There is no impact on data confidentiality or integrity. The overall impact on availability is low, and the vulnerability has a medium severity rating with a CVSS score of 4.3.

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.

A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handle_opt of the file /src/net_builtin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 7.21 is able to resolve this issue. Upgrading the affected component is advised. VulDB has contacted the vendor early and they confirmed quickly, that this issue got fixed already.

Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper resource shutdown or release vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service.

CWE-404 Improper Resource Shutdown or Release vulnerability exists that could cause partial Denial of Service on Machine Expert protocol when an unauthenticated attacker sends malicious payload to occupy active communication channels.

MediumVulnerabilityUnited StatesGermanyFrance+7#cve#cve-2025-13901#cwe-404