CVE-2026-40036

HighPublic PoC

Published: 08 April 2026

Published

08 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0016 35.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40036 is a high-severity Data Amplification (CWE-409) vulnerability in Ryandfir Unfurl. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match

prevent

SC-5 directly prevents denial-of-service attacks like memory exhaustion from unbounded zlib decompression by implementing resource limiting and attack mitigation mechanisms.

SC-6 Resource Availability good match

prevent

SC-6 protects against resource exhaustion by allocating and limiting system resources such as memory during processing of compressed payloads.

SI-2 Flaw Remediation good match

prevent

SI-2 mitigates the vulnerability by requiring timely application of the vendor-provided fix in Unfurl v2026.04 to remediate the unbounded decompression flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The unbounded zlib decompression vulnerability directly enables remote exploitation of the application to cause denial of service via memory exhaustion from a specially crafted payload, mapping to application or system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allows remote attackers to cause denial of service. Attackers can submit highly compressed payloads via URL parameters to the /json/visjs endpoint that expand to gigabytes, exhausting server memory…

and crashing the service.

Deeper analysisAI

CVE-2026-40036 is an unbounded zlib decompression vulnerability in the parse_compressed.py component of Unfurl versions prior to 2026.04. This flaw allows remote attackers to trigger denial of service by processing maliciously crafted compressed data. It is associated with CWE-409 (Improper Handling of Highly Compressed Data) and CWE-770 (Allocation of Resources Without Limits or Throttling), earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Attackers can exploit the vulnerability remotely over the network with no authentication or user interaction required. By submitting highly compressed payloads via URL parameters to the /json/visjs endpoint, the decompression process expands the data to gigabytes in size, exhausting server memory and crashing the Unfurl service.

The vulnerability is fixed in Unfurl release v2026.04, available at https://github.com/obsidianforensics/unfurl/releases/tag/v2026.04. Further details on the issue and remediation are provided in the GitHub security advisory at https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-h5qv-qjv4-pc5m and the VulnCheck advisory at https://www.vulncheck.com/advisories/dfir-unfurl-denial-of-service-via-unbounded-zlib-decompression.