zrok Heap Overflow: Unauthenticated DoS Risk
The National Vulnerability Database (NVD) has detailed CVE-2026-40303, a critical vulnerability in zrok, a popular tool for sharing web services, files, and network resources. Prior to version 2.0.1, the endpoints.GetSessionCookie function within zrok improperly handles attacker-supplied cookie chunk counts. This flaw allows an unauthenticated remote attacker to trigger massive heap allocations, leading to gigabyte-scale memory consumption per request.
This memory exhaustion can result in process-level Out-of-Memory (OOM) termination or repeated goroutine panics. Both publicProxy and dynamicProxy functionalities are affected, making widespread exploitation feasible. The NVD assigns a CVSS score of 7.5 (HIGH), emphasizing the severe availability impact (A:H) with no required privileges (PR:N) or user interaction (UI:N).
Attackers can leverage this vulnerability to launch effective Denial-of-Service (DoS) attacks, crippling zrok instances. Organizations relying on zrok for critical sharing operations face significant operational disruption if not patched. The fix is available in zrok version 2.0.1, which addresses the unbounded allocation by properly validating the count parameter before memory allocation.
What This Means For You
- If your organization uses zrok, you need to prioritize this. Immediately check your zrok deployments for version 2.0.1 or later. If you're running an older version, patch to 2.0.1 without delay to prevent unauthenticated attackers from easily taking down your services via a simple DoS attack. This isn't theoretical; the attacker's calculus here is low effort, high impact.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40303: zrok Heap Overflow via Malformed Cookie Count
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40303 | DoS | zrok software versions prior to 2.0.1 |
| CVE-2026-40303 | DoS | Vulnerable function: endpoints.GetSessionCookie |
| CVE-2026-40303 | DoS | Affected components: publicProxy, dynamicProxy |
| CVE-2026-40303 | DoS | Attack vector: Unauthenticated remote attacker triggering heap allocations via cookie chunk count |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 18, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Critical Thymeleaf Vulnerability Bypasses Injection Protections
CVE-2026-40478 — Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the...
Critical Thymeleaf Vulnerability Bypasses Injection Protections
CVE-2026-40477 — Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the...
wger Fitness Manager: Auth Bypass Grants Global Config Control
CVE-2026-40474 — wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin...