Cyber Resilience

CVE-2026-33241

HighPublic PoCDDoS

Published: 24 March 2026

Published
24 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 34.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33241 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Salvo Salvo. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-33241 affects Salvo, a Rust web framework, in versions prior to 0.89.3. The vulnerability resides in the form data parsing implementations, specifically the `form_data()` method and `Extractible` macro, which fail to enforce payload size limits before loading entire request bodies into memory. This flaw, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), enables out-of-memory (OOM) conditions with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Remote attackers require only network access to exploit this issue, with no authentication, privileges, or user interaction needed. By transmitting extremely large form data payloads, adversaries can trigger excessive memory consumption, causing service crashes and denial-of-service disruptions.

The Salvo project addressed this in version 0.89.3 with a patch enforcing payload size limits. Security practitioners should upgrade to this version or later, as detailed in the GitHub security advisory (GHSA-pp9r-xg4c-8j4x) and release notes (v0.89.3).

EU & UK References

Vulnerability details

Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions…

more

by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in web framework form parsing allows unauthenticated remote attackers to trigger OOM crashes via oversized payloads, directly enabling T1499.004 (Application or System Exploitation) for Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22257Same product: Salvo Salvo
CVE-2026-33242Same product: Salvo Salvo
CVE-2026-22256Same product: Salvo Salvo
CVE-2021-47877Shared CWE-770
CVE-2021-47784Shared CWE-770
CVE-2021-47793Shared CWE-770
CVE-2021-47895Shared CWE-770
CVE-2026-23490Shared CWE-770
CVE-2026-31866Shared CWE-770
CVE-2026-33260Shared CWE-770

Affected Assets

salvo
salvo
≤ 0.89.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely patching of Salvo to version 0.89.3 or later, which enforces payload size limits in form data parsing.

prevent

Provides comprehensive denial-of-service protections that counter OOM conditions from attackers sending extremely large form data payloads.

prevent

Limits resource availability, such as memory allocation, to prevent service crashes due to unbounded request body consumption in Salvo.

References