Description
Nanobot prior to version 0.2.1 contains a denial of service vulnerability in the Matrix channel media download handler that allows authenticated room members to exhaust process memory and bandwidth by sending media events with missing or invalid size metadata. Attackers can send multiple concurrent Matrix media events with omitted or invalid declared sizes to trigger simultaneous large media downloads that fully materialize response bodies before post-download rejection, consuming process resources until service degradation occurs.
Published: 2026-06-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nanobot before version 0.2.1 contains a denial‑of‑service flaw in the Matrix channel media download handler. Authenticated room members can send media events that lack or contain invalid size metadata. Each event triggers a large media download that fully materializes the response body before the server rejects it, exhausting process memory and bandwidth. The result is service degradation or outage, reflecting a CWE‑770 uncontrolled resource consumption vulnerability.

Affected Systems

The vulnerability affects the HKUDS Nanobot software under version 0.2.1 and earlier. Users running any Nanobot build that predates the 0.2.1 release are susceptible. No other versions are reported as affected.

Risk and Exploitability

The CVSS base score of 5.3 indicates a medium severity impact. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. The attack requires authenticated access to a Matrix room where the user is a member; once authenticated, the attacker can flood the server with crafted media events. Although it does not allow arbitrary code execution, repeated exploitation can lead to denial of service. No known public exploit has been documented, but the conditions for successful exploitation are easy to meet for legitimate users.

Generated by OpenCVE AI on June 1, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nanobot to v0.2.1 or later.
  • Restrict media upload permissions and enforce size metadata validation to prevent resource exhaustion.
  • If upgrade is not feasible, temporarily disable the Matrix media download handler or limit concurrent download bandwidth.

Generated by OpenCVE AI on June 1, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Hkuds
Hkuds nanobot
Vendors & Products Hkuds
Hkuds nanobot

Mon, 01 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Nanobot prior to version 0.2.1 contains a denial of service vulnerability in the Matrix channel media download handler that allows authenticated room members to exhaust process memory and bandwidth by sending media events with missing or invalid size metadata. Attackers can send multiple concurrent Matrix media events with omitted or invalid declared sizes to trigger simultaneous large media downloads that fully materialize response bodies before post-download rejection, consuming process resources until service degradation occurs.
Title Nanobot < 0.2.1 Denial of Service via Matrix Media Download Handler
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Hkuds Nanobot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-02T12:34:55.972Z

Reserved: 2026-05-27T17:40:12.739Z

Link: CVE-2026-49140

cve-icon Vulnrichment

Updated: 2026-06-02T12:34:39.891Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T21:16:47.070

Modified: 2026-06-02T14:43:49.920

Link: CVE-2026-49140

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:30:26Z

Weaknesses