Cyber Resilience

CVE-2026-27571

MediumDDoS

Published: 24 February 2026

Published
24 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 10.1th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27571 is a medium-severity Data Amplification (CWE-409) vulnerability in Linuxfoundation Nats-Server. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27571 is a denial-of-service vulnerability in NATS-Server, a high-performance server for the NATS.io cloud and edge native messaging system. The issue affects the WebSockets handling of compressed NATS messages, where the implementation bounds the memory size of a NATS message but fails to independently bound the memory consumption of the decompression stream during message construction. This allows a compression bomb attack that triggers excessive memory usage, often resulting in the operating system terminating the server process. The vulnerability impacts versions prior to 2.11.2 and 2.12.3 and only affects deployments using WebSockets with the network port exposed to untrusted endpoints.

Any remote attacker can exploit this vulnerability over the network without authentication, as WebSockets compression negotiation occurs before credentials are required. By sending a specially crafted compressed message, the attacker causes the server to allocate unbounded memory during decompression, even if the final message would fail size validation. This leads to high availability impact with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H), mapped to CWEs 409 (Improper Handling of Highly Compressed Data) and 770 (Allocation of Resources Without Limits or Throttling).

The NATS-Server security advisory (GHSA-qrvq-68c2-7grw) and related GitHub references detail the fix implemented in versions 2.11.2 and 2.12.3, which bounds decompression to fail immediately if the message exceeds size limits rather than continuing. Security practitioners should upgrade to these patched releases and review WebSockets configurations to ensure ports are not exposed to untrusted networks. The commit f77fb7c4535e6727cc1a2899cd8e6bbdd8ba2017 provides the specific changes.

EU & UK References

Vulnerability details

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size…

more

of a NATS message but did not independently bound the memory consumption of the memory stream when constructing a NATS message which might then fail validation for size reasons. An attacker can use a compression bomb to cause excessive memory consumption, often resulting in the operating system terminating the server process. The use of compression is negotiated before authentication, so this does not require valid NATS credentials to exploit. The fix, present in versions 2.11.2 and 2.12.3, was to bounds the decompression to fail once the message was too large, instead of continuing on. The vulnerability only affects deployments which use WebSockets and which expose the network port to untrusted end-points.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote unauthenticated exploitation of a public-facing WebSocket service (T1190) to trigger application memory exhaustion and process termination via crafted compressed input (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27889Same product: Linuxfoundation Nats-Server
CVE-2026-29785Same product: Linuxfoundation Nats-Server
CVE-2026-33218Same product: Linuxfoundation Nats-Server
CVE-2026-33247Same product: Linuxfoundation Nats-Server
CVE-2026-33216Same product: Linuxfoundation Nats-Server
CVE-2026-33217Same product: Linuxfoundation Nats-Server
CVE-2026-26008Same vendor: Linuxfoundation
CVE-2024-24417Same vendor: Linuxfoundation
CVE-2025-68136Same vendor: Linuxfoundation
CVE-2024-24420Same vendor: Linuxfoundation

Affected Assets

linuxfoundation
nats-server
≤ 2.11.12 · 2.12.0 — 2.12.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protection against resource-exhaustion DoS attacks such as the compression-bomb memory consumption that terminates the NATS-Server process.

prevent

Mandates validation of input size and format, which would have prevented unbounded decompression of WebSocket-compressed messages before size checks.

prevent

Requires boundary controls that restrict exposure of the WebSocket listener to untrusted networks, eliminating the unauthenticated attack surface described in the CVE.

References