<Vulnerability name="CVE-2026-11946">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-02T10:54:17</PublicDate>
    <Bugzilla id="2496476" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496476" xml:lang="en:us">
open62541: open62541: Denial of Service via unvalidated endpoint URL length
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-1284</CWE>
    <Details xml:lang="en:us" source="Mitre">
An unauthenticated remote attacker can exhaust
server memory via the GetEndpoints Discovery Service in open62541. The
endpointUrl field of GetEndpointsRequest is not validated for length. An
attacker can declare an arbitrarily large string (up to ~4.09 GB via the UInt32
length field) delivered across intermediate chunks without ever sending the
final chunk. The server buffers all chunks in RAM indefinitely until the
SecureChannel times out. The attack is
pre-session and bypasses all encryption configurations.



The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in open62541. An unauthenticated remote attacker can exploit a vulnerability in the GetEndpoints Discovery Service by sending a malformed request with an excessively long, unvalidated endpointUrl field. This can lead to the server buffering large amounts of data indefinitely, causing server memory exhaustion and a Denial of Service (DoS) condition. This attack can occur before a secure session is established and bypasses encryption configurations.
    </Details>
    <Statement xml:lang="en:us">
A flaw was found in open62541, an open-source OPC UA implementation. The GetEndpoints Discovery Service does not validate the length of the endpointUrl field in GetEndpointsRequest. An unauthenticated remote attacker can declare an arbitrarily large string (up to ~4 GB) delivered via intermediate chunks without sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out, causing memory exhaustion and denial of service. The attack is pre-session and bypasses all encryption configurations. Affected versions: 1.4.0 through 1.4.16, 1.5.0 through 1.5.4.
    </Statement>
    <Mitigation xml:lang="en:us">
The issue has been fixed in v1.5.5.
    </Mitigation>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-11946
https://nvd.nist.gov/vuln/detail/CVE-2026-11946
https://github.com/open62541/open62541
https://github.com/open62541/open62541/pull/8142
https://github.com/open62541/open62541/pull/8142/changes/d253818d6c5e870e1db0e360b18138c8bdc809ae
    </References>
</Vulnerability>