Description
Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel.



This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.
Published: 2026-05-03
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unbounded memory allocation in the VQLResponse result‑set writer of Velociraptor’s server. A malicious or compromised client can send crafted messages on the normal agent control channel, causing the server to allocate excessive memory and trigger an out‑of‑memory condition that crashes the service. The resulting denial of service prevents the server from handling legitimate requests, impacting availability but not confidentiality or integrity.

Affected Systems

Rapid7 Velociraptor servers running any 0.76 release earlier than version 0.76.4 and any 0.75 release earlier than version 0.75.9 are affected. The vulnerability exists only in the server component; client binaries are not directly impacted.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity. Since EPSS is not available, no concrete exploitation probability is known. The CVE is not listed in CISA’s KEV catalog. Attackers would need network access to a Velociraptor client that has the ability to send messages to the server, so the vector is likely local or internal network. A successful exploit results in a server crash; the impact is limited to service outage.

Generated by OpenCVE AI on May 4, 2026 at 01:20 UTC.

Remediation

Vendor Solution

To remediate, you will need to  upgrade your server https://www.velociraptor-docs.org/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade  to the latest version of your release: * For 0.76 releases, upgrade immediately to  v0.76.4 https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64 * For 0.75 releases, upgrade immediately to  v0.75.9 https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64

OpenCVE Recommended Actions

  • Upgrade Velociraptor server to v0.76.4 if running a 0.76 release
  • Upgrade Velociraptor server to v0.75.9 if running a 0.75 release
  • Restrict client access to the server by configuring firewalls or rate‑limiting to reduce the chance of malicious traffic

Generated by OpenCVE AI on May 4, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Rapid7
Rapid7 velociraptor
Vendors & Products Rapid7
Rapid7 velociraptor

Mon, 04 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel. This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.
Title Unbounded Memory Allocation in VQLResponse Result-Set Writer
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Rapid7 Velociraptor
cve-icon MITRE

Status: PUBLISHED

Assigner: rapid7

Published:

Updated: 2026-05-03T23:55:40.555Z

Reserved: 2026-04-24T03:35:48.568Z

Link: CVE-2026-6948

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T00:16:39.467

Modified: 2026-05-04T00:16:39.467

Link: CVE-2026-6948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T04:00:10Z

Weaknesses