CVE-2026-27571
Published: 24 February 2026
Summary
CVE-2026-27571 is a medium-severity Data Amplification (CWE-409) vulnerability in Linuxfoundation Nats-Server. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-27571 is a denial-of-service vulnerability in NATS-Server, a high-performance server for the NATS.io cloud and edge native messaging system. The issue affects the WebSockets handling of compressed NATS messages, where the implementation bounds the memory size of a NATS message but fails to independently bound the memory consumption of the decompression stream during message construction. This allows a compression bomb attack that triggers excessive memory usage, often resulting in the operating system terminating the server process. The vulnerability impacts versions prior to 2.11.2 and 2.12.3 and only affects deployments using WebSockets with the network port exposed to untrusted endpoints.
Any remote attacker can exploit this vulnerability over the network without authentication, as WebSockets compression negotiation occurs before credentials are required. By sending a specially crafted compressed message, the attacker causes the server to allocate unbounded memory during decompression, even if the final message would fail size validation. This leads to high availability impact with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H), mapped to CWEs 409 (Improper Handling of Highly Compressed Data) and 770 (Allocation of Resources Without Limits or Throttling).
The NATS-Server security advisory (GHSA-qrvq-68c2-7grw) and related GitHub references detail the fix implemented in versions 2.11.2 and 2.12.3, which bounds decompression to fail immediately if the message exceeds size limits rather than continuing. Security practitioners should upgrade to these patched releases and review WebSockets configurations to ensure ports are not exposed to untrusted networks. The commit f77fb7c4535e6727cc1a2899cd8e6bbdd8ba2017 provides the specific changes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8538
Vulnerability details
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size…
more
of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit. The fix, present in versions 2.11.2 and 2.12.3, was to bounds the decompression to fail once the message was too large, instead of continuing on. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated exploitation of a public-facing WebSocket service (T1190) to trigger application memory exhaustion and process termination via crafted compressed input (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires protection against resource-exhaustion DoS attacks such as the compression-bomb memory consumption that terminates the NATS-Server process.
Mandates validation of input size and format, which would have prevented unbounded decompression of WebSocket-compressed messages before size checks.
Requires boundary controls that restrict exposure of the WebSocket listener to untrusted networks, eliminating the unauthenticated attack surface described in the CVE.