CVE-2026-34824
Published: 03 April 2026
Summary
CVE-2026-34824 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Mesop-Dev Mesop. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique OS Exhaustion Flood (T1499.001); ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly implements denial-of-service protections such as rate limiting and throttling to prevent resource exhaustion from rapid unauthenticated WebSocket message floods.
Enforces safeguards on system resources like OS threads and memory to block unbounded consumption triggered by excessive WebSocket message processing.
Limits concurrent WebSocket sessions to reduce the attack surface for thread exhaustion from multiple unauthenticated connections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables direct exploitation for OS thread exhaustion and resource depletion via WebSocket message flooding, mapping to OS Exhaustion Flood for endpoint DoS.
NVD Description
Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a…
more
rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5.
Deeper analysisAI
CVE-2026-34824 is an uncontrolled resource consumption vulnerability in the WebSocket implementation of the Mesop framework, a Python-based tool for building web applications. It affects Mesop versions from 1.2.3 up to but not including 1.2.5. The flaw allows an unauthenticated attacker to send a rapid succession of WebSocket messages, causing the server to spawn an unbounded number of operating system threads. This results in thread exhaustion and Out of Memory (OOM) errors, leading to a complete Denial of Service (DoS) condition for any application built on the framework. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWEs-125 and CWE-770.
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no privileges required. By flooding the WebSocket endpoint with messages, the attacker forces excessive thread creation, quickly depleting server resources and rendering the application unresponsive. The impact is strictly on availability, with no confidentiality or integrity effects, but it can fully disrupt services hosted on affected Mesop instances.
The issue has been addressed in Mesop version 1.2.5, as detailed in the project's GitHub security advisory (GHSA-3jr7-6hqp-x679), release notes, and the patching commit (760a2079b5c609038c826d24dfbcf9b0be98d987). Security practitioners should upgrade to version 1.2.5 or later and review WebSocket handling in custom applications for similar resource exhaustion risks.
Details
- CWE(s)