{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40303", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T20:22:44.036Z", "datePublished": "2026-04-17T21:01:51.899Z", "dateUpdated": "2026-04-20T16:19:07.291Z"}, "containers": {"cna": {"title": "zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9"}, {"name": "https://github.com/openziti/zrok/releases/tag/v2.0.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openziti/zrok/releases/tag/v2.0.1"}], "affected": [{"vendor": "openziti", "product": "zrok", "versions": [{"version": "< 2.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:01:51.899Z"}, "descriptions": [{"lang": "en", "value": "zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue."}], "source": {"advisory": "GHSA-cpf9-ph2j-ccr9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:18:59.334800Z", "id": "CVE-2026-40303", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:19:07.291Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40303", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:18:59.334800Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:19:03.497Z"}}], "cna": {"title": "zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing", "source": {"advisory": "GHSA-cpf9-ph2j-ccr9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "openziti", "product": "zrok", "versions": [{"status": "affected", "version": "< 2.0.1"}]}], "references": [{"url": "https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9", "name": "https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openziti/zrok/releases/tag/v2.0.1", "name": "https://github.com/openziti/zrok/releases/tag/v2.0.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:01:51.899Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40303", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:19:07.291Z", "dateReserved": "2026-04-10T20:22:44.036Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T21:01:51.899Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netfoundry:zrok:*:*:*:*:*:*:*:*", "matchCriteriaId": "70C6F018-6D34-4A75-A49D-A795B0A5B056", "versionEndExcluding": "2.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue."}], "id": "CVE-2026-40303", "lastModified": "2026-04-23T18:33:09.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T21:16:35.140", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/openziti/zrok/releases/tag/v2.0.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "zrok", "source": "cna", "vendor": "openziti"}, "product": "zrok", "vendor": "openziti"}], "analysis": {"en": {"generated_at": "2026-04-18T08:56:55.595471+00:00", "value": {"mitigation_remediation": ["Upgrade to zrok 2.0.1 or later to apply the patched cookie size validation.", "If an update is not immediately possible, apply rate\u2011limiting to requests against the OAuth\u2011protected proxy endpoints to reduce the impact of repeated malicious requests.", "Consider disabling publicProxy and dynamicProxy features until the patch is deployed, or use network\u2011level controls such as firewall rules to block or monitor anomalous request patterns that could trigger memory exhaustion."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via unbounded memory allocation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the openziti:zrok service on all versions prior to 2.0.1, impacting both the publicProxy and dynamicProxy configurations. Version 2.0.1 and later contain the fix that limits the size of the cookie chunk count during parsing.", "description_and_impact": "zrok, an open-source tool for sharing web services, contains a flaw that allows a remote attacker to trigger gigabyte\u2011scale heap allocations by sending a specially crafted cookie when accessing an OAuth\u2011protected proxy. The endpoint parses an attacker\u2011supplied cookie chunk count and creates a slice of that size before validating the token, exposing the process to uncontrolled memory usage. Failure to limit the allocation can cause the zrok process to be terminated by the operating system due to out\u2011of\u2011memory or repeatedly panic, resulting in a denial of service for all users sharing that endpoint.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity, and the lack of an EPSS value means current exploitation propensity is unknown. The vulnerability is not listed in the CISA KEV catalog. Attackers only need to craft a request to an OAuth\u2011protected proxy; no authentication is required, so any external host can trigger the issue. Once activated, the memory exhaustion leads to service degradation or termination, which can be leveraged in targeted denial\u2011of\u2011service attacks."}}}}, "created": "2026-04-18T09:00:05.901349+00:00", "updated": "2026-04-20T14:59:33.773960+00:00", "vendors": ["openziti", "openziti$PRODUCT$zrok"]}