CVE-2026-29795
Published: 06 March 2026
Summary
CVE-2026-29795 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Stellar Stellar-Xdr. Its CVSS base score is 4.0 (Medium).
Operationally, ranked at the 9.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.
Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.
Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.
Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.
Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.
Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.
Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.
Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.NVD Description
stellar-xdr is a library and CLI containing types and functionality for working with Stellar XDR. Prior to version 25.0.1, StringM::from_str does not validate that the input length is within the declared maximum (MAX). Calling StringM::<N>::from_str(s) where s is longer than…
more
N bytes succeeds and returns an Ok value instead of Err(Error::LengthExceedsMax), producing a StringM that violates its length invariant. This affects any code that constructs StringM values from string input using FromStr (including str::parse), and relies on the type's maximum length constraint being enforced. An oversized StringM could propagate through serialization, validation, or other logic that assumes the invariant holds. This issue has been patched in version 25.0.1.
Deeper analysisAI
CVE-2026-29795 affects the stellar-xdr library and CLI, which provide types and functionality for working with Stellar XDR. Prior to version 25.0.1, the StringM::from_str function fails to validate that input strings do not exceed the declared maximum length (MAX). When calling StringM::<N>::from_str(s) with a string longer than N bytes, the function returns Ok instead of Err(Error::LengthExceedsMax), creating a StringM instance that violates its length invariant. This impacts any code constructing StringM values from string inputs via FromStr (including str::parse) while assuming the maximum length constraint is enforced.
A local attacker with no privileges required can exploit this vulnerability with low complexity and no user interaction. By supplying an oversized string to affected parsing functions, they can generate invalid StringM values. These oversized instances may propagate through serialization, validation, or other logic that relies on the length invariant, potentially leading to integrity violations in dependent applications, as indicated by the CVSS v3.1 score of 4.0 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) and associated CWE-770.
The issue has been addressed in version 25.0.1 of stellar-xdr. The Stellar security advisory (GHSA-x57h-xx53-v53w), related GitHub issue #499, pull request #500, and patching commit 1f840013c3e2fca0321fb844b048afa01d10dda6 provide details on the fix, recommending an upgrade to the patched version to enforce proper length validation.
Details
- CWE(s)