{"schema_version":"1.0","report_url":"https://aretiq.ai/research/vul260607-cve-2026-28318-solarwinds-serv-u-http-deflate-uncontrolled-resource-consumption/","date":"2026-06-07","last_modified":"2026-06-07","cve":"CVE-2026-28318","title":"CVE-2026-28318 — SolarWinds Serv-U HTTP Deflate Uncontrolled Resource Consumption","vulnerability_name":"SolarWinds Serv-U HTTP Deflate Uncontrolled Resource Consumption","vendor":"SolarWinds","product":"Serv-U","component":"HTTP Handler","binary":"Serv-U","impact":"DoS","cwe":["CWE-400","CWE-409"],"severity":{"cvss_v4_score":9.2,"cvss_v4_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:A"},"attack_vector":"Network","patch_kb":"Serv-U 15.5.4 Hotfix 1","poc_verified":true,"poc_download":"https://aretiq.ai/downloads/","tags":["cve-2026-28318","solarwinds","serv-u","http","deflate","decompression-bomb","dos","cisa-kev"],"summary":"1. Overview A vulnerability exists in SolarWinds Serv-U’s HTTP request handler that processes Content-Encoding: deflate encoded POST bodies. The server decompresses incoming deflate-encoded payloads without enforcing any limit on the decompressed size, allowing an attacker to send a small (~260KB) compressed payload that expands to hundreds of megabytes or gigabytes in memory. This uncontrolled memory allocation causes the Serv-U process to crash with SIGABRT, resulting in a complete denial of service. The attack requires no authentication and can be performed by any network-accessible client. SolarWinds addressed this vulnerability in Serv-U 15.5.4 Hotfix 1, released June 4, 2026. CISA added this CVE to the Known Exploited Vulnerabilities catalog on June 5, 2026, citing active exploitation in the wild.\n"}