CVE-2026-27980
Published: 18 March 2026
Summary
CVE-2026-27980 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Vercel Next.Js. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique OS Exhaustion Flood (T1499.001); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces denial-of-service protections to prevent attackers from exhausting disk space through unbounded growth of the Next.js image optimization cache.
Protects the availability of disk resources by imposing limits and quotas to mitigate uncontrolled consumption from unique image variants.
Requires secure configuration settings such as images.maximumDiskCacheSize to bound the image optimization disk cache and prevent exhaustion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unbounded disk cache growth via repeated image optimization requests directly enables OS resource exhaustion (disk space) resulting in endpoint DoS.
NVD Description
Next.js is a React framework for building full-stack web applications. Starting in version 10.0.0 and prior to version 16.1.7, the default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth. An attacker…
more
could generate many unique image-optimization variants and exhaust disk space, causing denial of service. This is fixed in version 16.1.7 by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. If upgrading is not immediately possible, periodically clean `.next/cache/images` and/or reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`).
Deeper analysisAI
CVE-2026-27980 affects Next.js, a React framework for building full-stack web applications, specifically in versions 10.0.0 through 16.1.7 (not including 16.1.7). The vulnerability resides in the default image optimization disk cache located at /_next/image, which lacks a configurable upper bound on its size. This allows unbounded cache growth as the cache stores optimized image variants without limits, potentially leading to disk exhaustion and denial-of-service conditions. The issue is classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any network-accessible attacker without privileges can exploit this vulnerability by generating a large number of unique image-optimization variants, such as through repeated requests with varying parameters. This forces the cache to store excessive data on disk, exhausting available storage and causing the application to become unavailable due to denial of service. No user interaction or special privileges are required, making it straightforward for remote attackers to trigger.
Mitigation is addressed in the official advisories and patches, including the Next.js security advisory (GHSA-3x4c-7xq6-9pq8), release notes for v16.1.7, and the fixing commit (39eb8e0ac498b48855a0430fbf4c22276a73b4bd). Upgrading to version 16.1.7 or later introduces an LRU-backed disk cache with the configurable images.maximumDiskCacheSize option, which evicts least-recently-used entries when the limit is reached; setting it to 0 disables disk caching entirely. As interim measures, administrators should periodically clean the .next/cache/images directory and reduce variant cardinality by tightening configurations for images.localPatterns, images.remotePatterns, and images.qualities.
Details
- CWE(s)