CVE-2026-27571
Published: 24 February 2026
Summary
CVE-2026-27571 is a medium-severity Data Amplification (CWE-409) vulnerability in Linuxfoundation Nats-Server. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires throttling and limits on resource allocation to prevent exhaustion.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated exploitation of a public-facing WebSocket service (T1190) to trigger application memory exhaustion and process termination via crafted compressed input (T1499.004).
NVD Description
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size…
more
of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit. The fix, present in versions 2.11.2 and 2.12.3, was to bounds the decompression to fail once the message was too large, instead of continuing on. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points.
Deeper analysisAI
CVE-2026-27571 is a denial-of-service vulnerability in NATS-Server, a high-performance server for the NATS.io cloud and edge native messaging system. The issue affects the WebSockets handling of compressed NATS messages, where the implementation bounds the memory size of a NATS message but fails to independently bound the memory consumption of the decompression stream during message construction. This allows a compression bomb attack that triggers excessive memory usage, often resulting in the operating system terminating the server process. The vulnerability impacts versions prior to 2.11.2 and 2.12.3 and only affects deployments using WebSockets with the network port exposed to untrusted endpoints.
Any remote attacker can exploit this vulnerability over the network without authentication, as WebSockets compression negotiation occurs before credentials are required. By sending a specially crafted compressed message, the attacker causes the server to allocate unbounded memory during decompression, even if the final message would fail size validation. This leads to high availability impact with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H), mapped to CWEs 409 (Improper Handling of Highly Compressed Data) and 770 (Allocation of Resources Without Limits or Throttling).
The NATS-Server security advisory (GHSA-qrvq-68c2-7grw) and related GitHub references detail the fix implemented in versions 2.11.2 and 2.12.3, which bounds decompression to fail immediately if the message exceeds size limits rather than continuing. Security practitioners should upgrade to these patched releases and review WebSockets configurations to ensure ports are not exposed to untrusted networks. The commit f77fb7c4535e6727cc1a2899cd8e6bbdd8ba2017 provides the specific changes.
Details
- CWE(s)