CVE-2026-41606
Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade t
CVSS
5.3
Medio
EPSS
1.1%
p63
KEV
—
Exploit Today
19
0-100
Publicado: 28 abr 2026 · Última mod.: 15 jul 2026 · CWE-674 · CWE-606
1.1%EPSS · 30 días1.1%
2026-06-302026-07-16
Uncontrolled Recursion vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue.
- lists.apache.orghttps://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/04/28/3
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:14885
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:21769
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:22347
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:22423
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:23345
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:24539
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36882
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-41606
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2463408
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41606.json
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-15197.5 ALT72.2%
——22If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries).
This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.2dCVE-2026-271456.5 MED56.9%
——17(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.14hCVE-2026-309227.5 ALT52.5%
——16pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with "Indefinite Length" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.2dCVE-2026-398207.5 ALT51.9%
——16Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.14hCVE-2026-338147.5 ALT51.8%
——16When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.2dCVE-2026-321417.5 ALT51.7%
——16flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.14h