CVE-2026-40303
Published: 17 April 2026
Summary
CVE-2026-40303 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Netfoundry Zrok. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Information Input Validation requires checking and sanitizing the attacker-supplied cookie chunk count to prevent unbounded memory allocations from excessive values.
Denial-of-service Protection implements mechanisms like rate limiting or request throttling to block unauthenticated attackers from triggering repeated gigabyte-scale heap allocations.
Resource Availability employs safeguards such as memory quotas or limits to protect against unauthorized consumption leading to OOM termination or goroutine panics.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing zrok proxy service enables remote exploitation via crafted requests (T1190) to trigger unbounded memory allocation resulting in application DoS (T1499.004).
NVD Description
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on…
more
every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.
Deeper analysisAI
CVE-2026-40303 is a vulnerability in zrok, an open-source software for sharing web services, files, and network resources. Prior to version 2.0.1, the endpoints.GetSessionCookie function parses an attacker-supplied cookie chunk count and allocates a slice using make([]string, count) without any upper bound check before performing token validation. This flaw affects both publicProxy and dynamicProxy components and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), mapped to CWEs-400 (Uncontrolled Resource Consumption) and CWE-789 (Memory Allocation with Excessive Size Value).
An unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to any OAuth-protected proxy share, as the function executes on every such request. By specifying an excessively large chunk count, the attacker triggers gigabyte-scale heap allocations, resulting in process-level out-of-memory (OOM) termination or repeated goroutine panics, causing denial-of-service.
The issue is addressed in zrok version 2.0.1, which patches the unbounded allocation. Details are available in the project's release notes at https://github.com/openziti/zrok/releases/tag/v2.0.1 and the security advisory at https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9.
Details
- CWE(s)