CVE-2026-3260
Published: 24 March 2026
Summary
CVE-2026-3260 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 29.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly protects against or limits effects of denial-of-service events like disk exhaustion from malformed HTTP GET requests with multipart/form-data.
Restricts types, amounts, and characteristics of HTTP request inputs to prevent unbounded parsing and disk storage of multipart/form-data content.
Validates information inputs such as HTTP parameters to reject malformed multipart/form-data that triggers premature parsing and resource exhaustion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote exploitation vector against a public-facing Undertow deployment that directly results in disk resource exhaustion and application DoS; this maps cleanly to T1499.004 (Application or System Exploitation) under the Impact tactic.
NVD Description
A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like `getParameterMap()`, the server prematurely parses and stores this content…
more
to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).
Deeper analysisAI
CVE-2026-3260 is a vulnerability in Undertow, published on 2026-03-24, stemming from CWE-770 (Allocation of Resources Without Limits or Throttling). The flaw allows a remote attacker to send an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap(), the server prematurely parses and stores this content to disk, potentially leading to resource exhaustion and a Denial of Service (DoS). It has a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote unauthenticated attacker can exploit this vulnerability over the network by crafting and sending the malformed HTTP GET request. Exploitation requires high attack complexity, but success results in significant availability impact through disk space exhaustion on the server, without affecting confidentiality or integrity.
Red Hat advisories provide details on this issue, available at https://access.redhat.com/security/cve/CVE-2026-3260 and https://bugzilla.redhat.com/show_bug.cgi?id=2443010, which likely include patch information and mitigation guidance for affected Undertow deployments.
Details
- CWE(s)