CVE-2026-6948 | THREATINT

Description

Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel. This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.

PUBLISHED Reserved 2026-04-24 | Published 2026-05-03 | Updated 2026-05-04 | Assigner rapid7

MEDIUM: 4.9CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-770 Allocation of resources without limits or throttling

Product status

Default status

unaffected

Any version before 0.76.4

affected

Any version before 0.75.9

affected

Timeline

2026-04-19:	Initial report by Faisal Alhumaid
2026-04-19:	Initial report by Mika Jarvinen
2026-04-27:	Advisory published and patch distributed

Credits

We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly. finder

We also thank Mika Jarvinen (mika.jarvinen@kapsi.fi) for reporting this issue responsibly at the same time. finder

References

docs.velociraptor.app/...uncements/advisories/cve-2026-6948/

cve.org (CVE-2026-6948)

nvd.nist.gov (CVE-2026-6948)

Download JSON