Cyber Resilience

CVE-2026-3260

MediumDDoS

Published: 24 March 2026

Published
24 March 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0049 66.2th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3260 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 33.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3260 is a vulnerability in Undertow, published on 2026-03-24, stemming from CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw allows a remote attacker to send an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap(), the server prematurely parses and stores this content to disk, potentially leading to resource exhaustion and a Denial of Service (DoS). It has a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote unauthenticated attacker can exploit this vulnerability over the network by crafting and sending the malformed HTTP GET request. Exploitation requires high attack complexity, but success results in significant availability impact through disk space exhaustion on the server, without affecting confidentiality or integrity.

Red Hat advisories provide details on this issue, available at https://access.redhat.com/security/cve/CVE-2026-3260 and https://bugzilla.redhat.com/show_bug.cgi?id=2443010, which likely include patch information and mitigation guidance for affected Undertow deployments.

EU & UK References

Vulnerability details

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like `getParameterMap()`, the server prematurely parses and stores this content…

more

to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes a remote exploitation vector against a public-facing Undertow deployment that directly results in disk resource exhaustion and application DoS; this maps cleanly to T1499.004 (Application or System Exploitation) under the Impact tactic.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28368Same product: Redhat Build Of Apache Camel - Hawtio
CVE-2026-28369Same product: Redhat Build Of Apache Camel - Hawtio
CVE-2026-28367Same product: Redhat Build Of Apache Camel - Hawtio
CVE-2026-9064Same product: Redhat Enterprise Linux
CVE-2025-12543Same product: Redhat Data Grid
CVE-2026-7307Same vendor: Redhat
CVE-2026-3009Same product: Redhat Jboss Enterprise Application Platform
CVE-2026-3121Same product: Redhat Jboss Enterprise Application Platform
CVE-2021-47791Shared CWE-770
CVE-2026-35457Shared CWE-770

Affected Assets

redhat
build of apache camel - hawtio
4.0
redhat
build of apache camel for spring boot
4.0
redhat
data grid
8.0
redhat
fuse
7.0.0
redhat
jboss enterprise application platform
7.0.0, 8.0.0
redhat
jboss enterprise application platform expansion pack
all versions
redhat
process automation
7.0
redhat
single sign-on
7.0
redhat
undertow
all versions
redhat
enterprise linux
10.0, 8.0, 9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Directly protects against or limits effects of denial-of-service events like disk exhaustion from malformed HTTP GET requests with multipart/form-data.

prevent

Restricts types, amounts, and characteristics of HTTP request inputs to prevent unbounded parsing and disk storage of multipart/form-data content.

prevent

Validates information inputs such as HTTP parameters to reject malformed multipart/form-data that triggers premature parsing and resource exhaustion.

References