Description
In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.
Published: 2026-04-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Uncontrolled Disk Space Exhaustion Leads to Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability resides in the RadAsyncUpload component of Telerik UI for ASP.NET AJAX before version 2026.1.421. It allows users to upload files whose cumulative size is not properly checked during chunk reassembly, permitting uploads that exceed the configured maximum. This flaw can exhaust the hosting environment’s disk space, potentially rendering the web application and related services unavailable.

Affected Systems

Progress Software’s Telerik UI for ASP.NET AJAX, versions earlier than 2026.1.421, are affected. Users running the RadAsyncUpload control in these releases should verify their installed version against this requirement.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. Although an EPSS score is not provided, the lack of a known exploit in the KEV catalog suggests moderate exploitation likelihood. The attack is likely feasible over the public network via file upload functionality, as the flaw is triggered by submitting oversized uploads to the RadAsyncUpload endpoint.

Generated by OpenCVE AI on April 22, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Telerik UI for ASP.NET AJAX 2026.1.421 or later
  • If a patch is not immediately available, remove or disable the RadAsyncUpload control to prevent file uploads
  • Configure the web server (e.g., IIS request filtering) to reject uploads exceeding the maximum allowed size before reaching the application

Generated by OpenCVE AI on April 22, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Progress
Progress telerik Ui For Asp.net Ajax
Vendors & Products Progress
Progress telerik Ui For Asp.net Ajax

Wed, 22 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.
Title Uncontrolled Resource Consumption Vulnerability in Telerik UI for ASP.NET AJAX
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Progress Telerik Ui For Asp.net Ajax
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-22T12:28:18.218Z

Reserved: 2026-04-09T15:47:25.214Z

Link: CVE-2026-6022

cve-icon Vulnrichment

Updated: 2026-04-22T12:28:13.338Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T08:16:12.903

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-6022

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:30:15Z

Weaknesses