CVE-2026-40303 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie c…
High CVSS: 7.5

CVE-2026-40303

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.
Vendor
-
Product
-
CWE
CWE-400
Yayın Tarihi
2026-04-17 21:16:35
Güncelleme
2026-04-17 21:16:35
Source Identifier
security-advisories@github.com
KEV Date Added
-

Kategoriler

CWE-400 HIGH 2026

Referanslar

https://github.com/openziti/zrok/releases/tag/v2.0.1 https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9