Cyber Resilience

CVE-2026-40303

HighDDoS

Published: 17 April 2026

Published
17 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 9.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40303 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Netfoundry Zrok. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-40303 is a vulnerability in zrok, an open-source software for sharing web services, files, and network resources. Prior to version 2.0.1, the endpoints.GetSessionCookie function parses an attacker-supplied cookie chunk count and allocates a slice using make([]string, count) without any upper bound check before performing token validation. This flaw affects both publicProxy and dynamicProxy components and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), mapped to CWEs-400 (Uncontrolled Resource Consumption) and CWE-789 (Memory Allocation with Excessive Size Value).

An unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to any OAuth-protected proxy share, as the function executes on every such request. By specifying an excessively large chunk count, the attacker triggers gigabyte-scale heap allocations, resulting in process-level out-of-memory (OOM) termination or repeated goroutine panics, causing denial-of-service.

The issue is addressed in zrok version 2.0.1, which patches the unbounded allocation. Details are available in the project's release notes at https://github.com/openziti/zrok/releases/tag/v2.0.1 and the security advisory at https://github.com/openziti/zrok/security/advisories/GHSA-cpf9-ph2j-ccr9.

EU & UK References

Vulnerability details

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on…

more

every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to trigger gigabyte-scale heap allocations per request, leading to process-level OOM termination or repeated goroutine panics. Both publicProxy and dynamicProxy are affected. Version 2.0.1 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in public-facing zrok proxy service enables remote exploitation via crafted requests (T1190) to trigger unbounded memory allocation resulting in application DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42275Same product: Netfoundry Zrok
CVE-2026-39304Shared CWE-400
CVE-2026-21637Shared CWE-400
CVE-2025-40944Shared CWE-400
CVE-2025-70886Shared CWE-400
CVE-2026-46834Shared CWE-400
CVE-2026-33204Shared CWE-400
CVE-2026-23824Shared CWE-400
CVE-2026-34648Shared CWE-400
CVE-2025-56424Shared CWE-400

Affected Assets

netfoundry
zrok
≤ 2.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information Input Validation requires checking and sanitizing the attacker-supplied cookie chunk count to prevent unbounded memory allocations from excessive values.

prevent

Denial-of-service Protection implements mechanisms like rate limiting or request throttling to block unauthenticated attackers from triggering repeated gigabyte-scale heap allocations.

prevent

Resource Availability employs safeguards such as memory quotas or limits to protect against unauthorized consumption leading to OOM termination or goroutine panics.

References