Cyber Resilience

CVE-2024-3653

Medium

Published: 08 July 2024

Published
08 July 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0443 89.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3653 is a medium-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 10.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability was found in Undertow when the learning-push handler is enabled in the server configuration, a setting that is disabled by default. Leaving the handler's maxAge parameter at its default value of -1 exposes the component to the flaw, which is tracked as CWE-401; configuring a different value for maxAge prevents the issue. The affected software is the Undertow web server, and the weakness can be reached through ordinary network requests.

An unauthenticated attacker with network access can send crafted HTTP requests to trigger the vulnerability, producing a limited denial-of-service condition that affects availability but does not impact confidentiality or integrity. The CVSS 3.1 score of 5.3 reflects the low attack complexity and absence of required privileges or user interaction.

Red Hat has published multiple advisories (RHSA-2024:4392, RHSA-2024:5143, RHSA-2024:5144, RHSA-2024:5145, and RHSA-2024:5147) that address the issue through updated packages for affected products. The current EPSS score remains low at 0.0443 after a modest and temporary peak.

EU & UK References

Vulnerability details

A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If…

more

someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References