https://aretiq.ai/tags/cve-2026-28318/Recent content in Cve-2026-28318 on Aretiq AIHugoen-usSun, 07 Jun 2026 00:00:00 +0000https://aretiq.ai/research/vul260607-cve-2026-28318-solarwinds-serv-u-http-deflate-uncontrolled-resource-consumption/Sun, 07 Jun 2026 00:00:00 +0000https://aretiq.ai/research/vul260607-cve-2026-28318-solarwinds-serv-u-http-deflate-uncontrolled-resource-consumption/<h2 id="1-overview">1. Overview</h2> <p>A vulnerability exists in SolarWinds Serv-U&rsquo;s HTTP request handler that processes <code>Content-Encoding: deflate</code> encoded POST bodies. The server decompresses incoming deflate-encoded payloads without enforcing any limit on the decompressed size, allowing an attacker to send a small (~260KB) compressed payload that expands to hundreds of megabytes or gigabytes in memory. This uncontrolled memory allocation causes the Serv-U process to crash with SIGABRT, resulting in a complete denial of service. The attack requires no authentication and can be performed by any network-accessible client. SolarWinds addressed this vulnerability in Serv-U 15.5.4 Hotfix 1, released June 4, 2026. CISA added this CVE to the Known Exploited Vulnerabilities catalog on June 5, 2026, citing active exploitation in the wild.</p>