Dos

1. Overview A vulnerability exists in SolarWinds Serv-U’s HTTP request handler that processes Content-Encoding: deflate encoded POST bodies. The server decompresses incoming deflate-encoded payloads without enforcing any limit on the decompressed size, allowing an attacker to send a small (~260KB) compressed payload that expands to hundreds of megabytes or gigabytes in memory. This uncontrolled memory allocation causes the Serv-U process to crash with SIGABRT, resulting in a complete denial of service. The attack requires no authentication and can be performed by any network-accessible client. SolarWinds addressed this vulnerability in Serv-U 15.5.4 Hotfix 1, released June 4, 2026. CISA added this CVE to the Known Exploited Vulnerabilities catalog on June 5, 2026, citing active exploitation in the wild. ...

1. Overview A use-after-free vulnerability exists in ISC BIND 9’s DNS-over-HTTPS (DoH) implementation. When a DoH response has been sent, the response buffer is freed but a dangling pointer (socket->h2->wbuf) is left pointing to the freed memory. If a client floods HTTP/2 SETTINGS frames that change INITIAL_WINDOW_SIZE, the nghttp2 library re-evaluates stream flow control and calls the data provider callback (server_read_callback), which reads from the freed buffer via memmove(). The UAF read is confirmed by AddressSanitizer and reliably crashes ASAN-instrumented builds (~40% per round). Against production BIND builds using jemalloc, the freed memory remains mapped and the read succeeds silently — the server does not crash. Information disclosure via the HTTP/2 DATA stream was not confirmed: although server_read_callback reads freed heap bytes, nghttp2 discards the result because the stream’s data provider had already signaled EOF; no extra bytes are transmitted to the attacker. The practical impact is therefore denial of service against hardened builds, and a latent memory safety violation in production that could become exploitable if nghttp2’s internal handling changes. ISC addressed this vulnerability in BIND 9.20.23 and 9.21.22. ...

1. Overview A stack-based buffer overflow vulnerability exists in the Windows Netlogon service’s DC locator ping response handler. When a domain controller processes a CLDAP search request, it serializes response data including attacker-supplied and server-side strings into a fixed-size stack buffer without adequate bounds checking. An unauthenticated remote attacker can send a single crafted CLDAP packet to a domain controller’s UDP port 389, causing the Netlogon service to crash the LSASS process and force the domain controller to reboot. The exploitability depends on the target domain controller’s DNS naming configuration — domain controllers with longer DNS domain names and hostnames are vulnerable. Microsoft addressed this vulnerability in the May 2026 security update. ...