CVE-2026-49361 Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability

Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAXVALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting...

CVE-2026-42437

OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing th...

CVE-2026-42788

A flaw was found in bandit. An unauthenticated remote attacker can exploit a vulnerability in the HTTP/2 frame deserialization process by sending oversized HTTP/2 frames. This allows the attacker to force the server to buffer excessive amounts of memory, leading to memory exhaustion and a denial ...

RUSTSEC-2026-0154 Unbounded 32-bit allocation

Both the SSH agent server and client accepted peer-controlled frame lengths without enforcing a maximum frame size. This could cause large memory allocations while parsing a maliciously crafted agent frame. A malicious peer could advertise an oversized frame length, causing the client or server t...

Unbounded 32-bit allocation

Both the SSH agent server and client accepted peer-controlled frame lengths without enforcing a maximum frame size. This could cause large memory allocations while parsing a maliciously crafted agent frame. A malicious peer could advertise an oversized frame length, causing the client or server t...

Bandit HTTP/2 Frame Size Limit Bypass via Late Buffer Check Enables Memory Exhaustion

Summary Bandit's HTTP/2 parser checks frame size after it has already buffered the full body, instead of when it sees the 9-byte header. A peer can announce a 16 MiB frame on a connection that agreed to 16 KiB frames and the server will silently buffer up to 1024× the agreed budget per connection...

Allocation of Resources Without Limits or Throttling

Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the voice-call realtime WebSocket path when oversized WebSocket frames are accepted without proper validation. An attacker ca...

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the voice-call realtime WebSocket path when oversized WebSocket frames are accepted without proper validation. An attacker can cau...

CVE-2026-42437

OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing th...

CVE-2026-42437

OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing th...

CVE-2026-42437

Technical details are not publicly available in the provided documents. Monitor for updates.

CVE-2026-42437 OpenClaw 2026.4.9 < 2026.4.10 - Denial of Service via Oversized WebSocket Frames in Voice-call Realtime Path

OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing th...

CVE-2026-42437 OpenClaw 2026.4.9 < 2026.4.10 - Denial of Service via Oversized WebSocket Frames in Voice-call Realtime Path

OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing th...

CVE-2026-42788

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated memory exhaustion via oversized HTTP/2 frames. 'Elixir.Bandit.HTTP2.Frame':deserialize/2 in lib/bandit/http2/frame.ex checks the SETTINGSMAXFRAMESIZE limit only after pattern-matching...

CVE-2026-42788 HTTP/2 frame size limit checked after body is buffered in bandit

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated memory exhaustion via oversized HTTP/2 frames. 'Elixir.Bandit.HTTP2.Frame':deserialize/2 in lib/bandit/http2/frame.ex checks the SETTINGSMAXFRAMESIZE limit only after pattern-matching...

EUVD-2026-26108

OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket frames before start validation. Remote attackers can send oversized pre-start WebSocket frames to cause resource consumption and denial of service...

CVE-2026-41400 OpenClaw < 2026.3.31 - Resource Consumption via Oversized WebSocket Frames in voice-call

OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket frames before start validation. Remote attackers can send oversized pre-start WebSocket frames to cause resource consumption and denial of service...

CVE-2026-41400 OpenClaw < 2026.3.31 - Resource Consumption via Oversized WebSocket Frames in voice-call

OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket frames before start validation. Remote attackers can send oversized pre-start WebSocket frames to cause resource consumption and denial of service...

GHSA-VW3H-Q6XQ-JJM5 OpenClaw: Voice-call realtime WebSocket accepted oversized frames

Summary Voice-call realtime WebSocket accepted oversized frames. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.9 = 2026.4.10 Impact The voice-call realtime WebSocket path could accept oversized frames, creating a remote availability risk for...

OpenClaw: Voice-call realtime WebSocket accepted oversized frames

Summary Voice-call realtime WebSocket accepted oversized frames. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.9 = 2026.4.10 Impact The voice-call realtime WebSocket path could accept oversized frames, creating a remote availability risk for...