Description
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1.
Published: 2026-03-19
Score: 2.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak
Action: Patch
AI Analysis

Impact

The vulnerability affects the OpenWrt JSONPath parser, where the jp_get_token function leaks memory while extracting string literals, field labels, and regular expressions. Dynamic memory allocation is used to store these extraction results in a jp_opcode structure. When the structure is subsequently copied to a new allocation via jp_alloc_op the original memory is never freed. This results in a memory leak that can accumulate over time, potentially exhausting system memory and causing a denial‑of‑service condition. The weakness is classified as CWE‑401 and CWE‑772, indicating an improper release and a code defect regarding resource management. The impact is limited to loss of memory resources; there is no direct compromise of confidentiality, integrity, or remote execution.

Affected Systems

The affected product is the OpenWrt Linux operating system designed for embedded devices, under the OpenWrt Project. Versions prior to the releases 24.10.6 and 25.12.1 are vulnerable. Users running earlier builds of OpenWrt should be aware that these systems expose an unpatched JSONPath memory leak.

Risk and Exploitability

The CVSS score of 2.4 classifies the vulnerability as low severity, and the EPSS probability of less than 1% indicates a low likelihood of exploitation. It is not listed in the CISA KEV catalog. Exploitation would require repeated processing of crafted JSONPath expressions to bring the system to a state of memory exhaustion, thereby causing local denial of service. No remote code execution or privilege escalation is possible based on the available data. Overall, the risk is low, but escalation to a DoS attack is conceivable if the vulnerability is repeatedly triggered.

Generated by OpenCVE AI on March 24, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenWrt to version 24.10.6 or 25.12.1 (or later) to apply the fixed JSONPath parser.
  • If upgrade is not immediately feasible, restrict the use of JSONPath processing to trusted inputs and monitor memory usage for abnormal growth.
  • Apply general best practices by ensuring the system firmware remains current and review logs for signs of memory exhaustion.

Generated by OpenCVE AI on March 24, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openwrt
Openwrt openwrt
Vendors & Products Openwrt
Openwrt openwrt

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1.
Title OpenWrt Project jsonpath: Memory leak when processing strings, labels, and regexp tokens
Weaknesses CWE-401
References
Metrics cvssV4_0

{'score': 2.4, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openwrt Openwrt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-21T03:26:08.591Z

Reserved: 2026-03-06T00:04:56.698Z

Link: CVE-2026-30873

cve-icon Vulnrichment

Updated: 2026-03-21T03:25:48.781Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:31.950

Modified: 2026-03-24T14:11:53.410

Link: CVE-2026-30873

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-19T22:01:03Z

Links: CVE-2026-30873 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:33Z

Weaknesses