CVE-2026-7572 - Vulnerability Details

- Velociraptor EVTX Parser — Process Crash via Crafted .evtx File

Description

An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin.

Published: 2026-05-06

Score: 4.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An off‑by‑one error in the ConsumeUnit16Array and ConsumeUnit64Array functions causes the parse_evtx VQL plugin to crash when processing a specially crafted .evtx file. The resulting crash leads to a denial of service, compromising the availability of Velociraptor services that run the plugin but does not affect confidentiality or integrity. The flaw is identified as CWE‑193. No code execution or privilege escalation is possible from this vulnerability.

Affected Systems

Velocidex Velociraptor on both Windows and Linux platforms is affected for all releases prior to version 0.76.5. Users of these earlier releases are vulnerable unless the vendor issue has been remediated through a newer build.

Risk and Exploitability

The CVSS score of 4.4 reflects a moderate severity. The EPSS score is not provided, and the vulnerability is not listed in CISA KEV, indicating limited evidence of active exploitation in the wild. Based on the description, the likely attack vector is local: an adversary who can supply a custom .evtx file to the parse_evtx plugin can trigger the crash. Because the plugin runs with the privileges of the Velociraptor process, the impact is confined to the availability of that process, not to broader system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Velocidex

velociraptor

unaffected

Version	Status	Constraints
`0`	affected	< 0.76.5

Configuration 1 [-]

AND

cpe:2.3:a:rapid7:velociraptor:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Velocidex

Velociraptor

100%

Version	Status	Scheme	Platform
`[0,0.76.5)`	affected	semver	['windows', 'linux']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Velociraptor to version 0.76.5 or later.
If an immediate upgrade is not possible, limit the use of the parse_evtx VQL plugin to trusted data sources and prevent ingestion of untrusted .evtx files.
Monitor Velociraptor logs for unexpected process crashes and consider running the plugin in a sandboxed environment until a patch is applied.

Generated by OpenCVE AI on May 6, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-6cmp-qv2f-x97x	Velocidex Velociraptor has an off-by-one error

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00006.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://docs.velociraptor.app/announcements/advisories/cve-2026-7572/

History

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel Microsoft Microsoft windows Rapid7 Rapid7 velociraptor
CPEs		cpe:2.3:a:rapid7:velociraptor:::::::: cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Linux Linux linux Kernel Microsoft Microsoft windows Rapid7 Rapid7 velociraptor

Wed, 06 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 06 May 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Velocidex Velocidex velociraptor
Vendors & Products		Velocidex Velocidex velociraptor

Wed, 06 May 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin.
Title		Velociraptor EVTX Parser — Process Crash via Crafted .evtx File
Weaknesses		CWE-193
References		https://docs.velociraptor.app/announcements/advisories/cve-2026-7572/
Metrics		cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}`

Subscriptions

Linux Linux Kernel

Microsoft Windows

Rapid7 Velociraptor

Velocidex Velociraptor

MITRE

Status: PUBLISHED

Assigner: rapid7

Published: 2026-05-06T02:38:59.573Z

Updated: 2026-05-06T16:42:17.097Z

Reserved: 2026-05-01T00:05:50.505Z

Link: CVE-2026-7572

Vulnrichment

Updated: 2026-05-06T16:40:26.019Z

NVD

Status : Analyzed

Published: 2026-05-06T03:15:58.470

Modified: 2026-06-01T16:59:31.070

Link: CVE-2026-7572

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T09:21:19Z

Weaknesses

CWE-193

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object