Description
An unauthenticated remote attacker can exhaust
server memory via the GetEndpoints Discovery Service in open62541. The
endpointUrl field of GetEndpointsRequest is not validated for length. An
attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32
length field) delivered across intermediate chunks without ever sending the
final chunk. The server buffers all chunks in RAM indefinitely until the
SecureChannel times out. The attack is
pre-session and bypasses all encryption configurations.



The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
Published: 2026-07-02
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GetEndpoints Discovery Service in open62541 does not validate the length of the endpointUrl field in a GetEndpointsRequest. An unauthenticated attacker who can reach the server can supply an arbitrarily large string—up to roughly 4.09 GB via the UInt32 length field—arriving in many small network fragments. Because the server concatenates all fragments in RAM without a final delimiter and without an upper bound on buffer size, it will continue to consume memory until the SecureChannel times out. This pre‑session, encryption‑bypass attack results in a denial of service by exhausting server memory and potentially causing a crash or severe slowdown. The weakness is a classic lack of input validation that leads to uncontrolled memory use, properly classified under CWE‑770 and CWE‑789.

Affected Systems

The vulnerability affects the open62541 project, shipped by o6 Automation GmbH, in all releases from 1.4.0 up through 1.4.16, from 1.5.0 up through 1.5.4, and on the master branch. Users employing those specific versions of the open62541 library should review their deployments for exposure.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity with a large potential impact on application availability. The EPSS score is not reported, so the likelihood of exploitation cannot be quantified from available data, but the vulnerability is reachable via unauthenticated network traffic and bypasses encryption, making it attractive for attackers who wish to disrupt OPC UA services. It is not currently listed in the CISA KEV catalog, which suggests no high‑profile exploit has been observed yet, but the vulnerability remains a legitimate threat to any exposed open62541 instance.

Generated by OpenCVE AI on July 2, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched release such as open62541 1.4.17, 1.5.5, or later.
  • Restrict access to the GetEndpoints endpoint by limiting client IP addresses or firewall rules so that only trusted hosts can send discovery requests.
  • Implement memory and process limits or run the server within a container that caps RAM usage to prevent a single process from consuming all system memory.

Generated by OpenCVE AI on July 2, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32 length field) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configurations. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
Title GetEndpoints Memory Exhaustion in open62541
Weaknesses CWE-770
CWE-789
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-07-02T12:15:49.245Z

Reserved: 2026-06-10T21:38:14.592Z

Link: CVE-2026-11946

cve-icon Vulnrichment

Updated: 2026-07-02T12:15:44.059Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:45:16Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling

  • CWE-789

    Memory Allocation with Excessive Size Value