CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-11946

highCVSS 7.5covered by 1 sourcefirst seen 2026-07-02
An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32 length field) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configurations. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.

⚡ Watch CVE-2026-11946

Get an email if CVE-2026-11946 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-11946

CVE.org record

Embed the live status

CVE-2026-11946 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-11946 status](https://www.csirts.com/badge/CVE-2026-11946)](https://www.csirts.com/cve/CVE-2026-11946)