Description
Missing Release of Memory after Effective Lifetime vulnerability in ydb-platform ydb (contrib/libs/yajl modules). This vulnerability is associated with program files yail_tree.C.

This issue affects ydb: through 24.4.4.2.
Published: 2026-01-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service due to out-of-memory crash
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing release of memory after the effective lifetime in the yajl_tree_parse function within the ydb-platform/ydb contrib/libs/yajl modules. When the server processes input that triggers this function, the allocated memory is never freed, leading to progressive exhaustion of system memory and eventually causing the server to crash. The primary consequence of this flaw is a denial of service, where legitimate services become unavailable as the database process terminates.

Affected Systems

ydb-platform ydb versions up to and including 24.4.4.2 are affected. All installations of this version running the default server component are susceptible to the memory leak unless a newer release is deployed.

Risk and Exploitability

With a CVSS score of 6.9, the flaw poses a medium severity risk. The EPSS score of less than 1% indicates a low probability of exploitation at this time, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is through parsing of malicious or overly large JSON payloads processed by the server, which can be triggered remotely over the network if the input endpoint is exposed. No known mitigations are publicly documented beyond applying a patch that releases the allocated memory.

Generated by OpenCVE AI on April 18, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest release or patch that fixes the memory leak in the yajl_tree_parse component.
  • As an interim control, constrain the size of JSON data accepted by the server or pre-validate incoming data to prevent excessive memory allocation.
  • Implement monitoring of server memory usage and configure alerts for sudden memory spikes to detect leaks early.

Generated by OpenCVE AI on April 18, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ydb
Ydb ydb
Vendors & Products Ydb
Ydb ydb

Tue, 27 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
Description Missing Release of Memory after Effective Lifetime vulnerability in ydb-platform ydb (contrib/libs/yajl modules). This vulnerability is associated with program files yail_tree.C. This issue affects ydb: through 24.4.4.2.
Title a memory leak in ydb-platform/ydb with use of yajl_tree_parse function from src/yail module, which will cause out-of-memory in server and cause crash.
Weaknesses CWE-401
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:U/V:D/RE:L/U:Amber'}

Subscriptions

Ydb Ydb
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T16:57:43.248Z

Reserved: 2026-01-27T08:59:05.366Z

Link: CVE-2026-24825

cve-icon Vulnrichment

Updated: 2026-01-27T16:57:39.717Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:53.347

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24825

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-27T09:02:51Z

Links: CVE-2026-24825 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses