CVE-2026-40036
Published: 08 April 2026
Summary
CVE-2026-40036 is a high-severity Data Amplification (CWE-409) vulnerability in Ryandfir Unfurl. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-40036 is an unbounded zlib decompression vulnerability in the parse_compressed.py component of Unfurl versions prior to 2026.04. This flaw allows remote attackers to trigger denial of service by processing maliciously crafted compressed data. It is associated with CWE-409 (Improper Handling of Highly Compressed Data) and CWE-770 (Allocation of Resources Without Limits or Throttling), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Attackers can exploit the vulnerability remotely over the network with no authentication or user interaction required. By submitting highly compressed payloads via URL parameters to the /json/visjs endpoint, the decompression process expands the data to gigabytes in size, exhausting server memory and crashing the Unfurl service.
The vulnerability is fixed in Unfurl release v2026.04, available at https://github.com/obsidianforensics/unfurl/releases/tag/v2026.04. Further details on the issue and remediation are provided in the GitHub security advisory at https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-h5qv-qjv4-pc5m and the VulnCheck advisory at https://www.vulncheck.com/advisories/dfir-unfurl-denial-of-service-via-unbounded-zlib-decompression.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20779
Vulnerability details
Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory…
more
and crashing the service.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unbounded zlib decompression vulnerability directly enables remote exploitation of the application to cause denial of service via memory exhaustion from a specially crafted payload, mapping to application or system exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-5 directly prevents denial-of-service attacks like memory exhaustion from unbounded zlib decompression by implementing resource limiting and attack mitigation mechanisms.
SC-6 protects against resource exhaustion by allocating and limiting system resources such as memory during processing of compressed payloads.
SI-2 mitigates the vulnerability by requiring timely application of the vendor-provided fix in Unfurl v2026.04 to remediate the unbounded decompression flaw.