#denial-of-service

#denial-of-service

The most severe of the resolved issues is CVE-2026-42945 (CVSS v4.0 score of 9.2), a denial-of-service (DoS) condition in NGINX's ngx_http_rewrite_module module. The bug allows an unauthenticated attacker to send crafted HTTP requests that, combined with certain conditions beyond the attacker's control, could trigger a heap buffer overflow and a restart. If Address Space Layout Randomization (ASLR) is disabled, the flaw can be exploited for code execution.

Two high-severity issues, tracked as CVE-2026-20034 and CVE-2026-20035, which could lead to server-side request forgery (SSRF) attacks, were resolved in Cisco Unity Connection. Rooted in the insufficient validation of user-supplied input and specific HTTP requests, the flaws could be exploited by remote, authenticated attackers to execute arbitrary code as root or send network requests sourced from the affected device.

We also patched two potential denial-of-service vulnerabilities when handling large, malformed inputs. One exploits inefficient string concatenation in header parsing under ASGI ( CVE 2025-14550). Concatenating strings in a loop is known to be slow, and we've done fixes in public where the impact is low. The other one ( CVE 2026-1285) exploits deeply nested entities. December's vulnerability in the XML serializer ( CVE 2025-64460) was about those very two themes.

Node.js/V8 makes a best-effort attempt to recover from stack space exhaustion with a catchable error, which frameworks have come to rely on for service availability, A bug that only reproduces when async_hooks are used would break this attempt, causing Node.js to exit with 7 directly without throwing a catchable error when recursions in user code exhaust the stack space. This makes applications whose recursion depth is controlled by unsanitized input vulnerable to Denial-of-Service attacks.

Tracked as CVE-2025-43400, the security defect is described as an out-of-bounds write issue in the operating system's FontParser component that could lead to a denial-of-service (DoS) condition or memory corruption. "Processing a maliciously crafted font may lead to unexpected app termination or corrupt process memory," Apple explains. According to advisories from the Hong Kong CERT and Akaoma Cybersecurity, the vulnerability can be exploited remotely, without privileges, although user interaction is required.

Citrix warns of a critical vulnerability in NetScaler devices (CVE-2025-6543) leading to denial-of-service attacks, urging immediate updates to mitigate risks.