CVE-2026-40324

Critical

Published: 18 April 2026

Published

18 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0004 13.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40324 is a critical-severity Uncontrolled Recursion (CWE-674) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the stack overflow flaw in Hot Chocolate's Utf8GraphQLParser by upgrading to patched versions that enforce recursion depth limits.

SC-5 Denial-of-service Protection good match

prevent

Implements denial-of-service protections at the GraphQL endpoint to block crafted deeply nested payloads that trigger uncatchable StackOverflowException and process termination.

SI-10 Information Input Validation good match

prevent

Mandates validation of GraphQL document inputs for excessive recursion depth in selection sets, object values, lists, or types before parser execution to avert stack overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing GraphQL server parser allows remote unauth crafted input to trigger uncatchable StackOverflowException and process crash, directly enabling T1190 (exploit public-facing app) for T1499.004 (application/system exploitation leading to DoS).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or…

list types can trigger a `StackOverflowException` on payloads as small as 40 KB. Because `StackOverflowException` is uncatchable in .NET (since .NET 2.0), the entire worker process is terminated immediately. All in-flight HTTP requests, background `IHostedService` tasks, and open WebSocket subscriptions on that worker are dropped. The orchestrator (Kubernetes, IIS, etc.) must restart the process. This occurs before any validation rules run — `MaxExecutionDepth`, complexity analyzers, persisted query allow-lists, and custom `IDocumentValidatorRule` implementations cannot intercept the crash because `Utf8GraphQLParser.Parse` is invoked before validation. The `MaxAllowedFields=2048` limit does not help because the crashing payloads contain very few fields. The fix in versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14 adds a `MaxAllowedRecursionDepth` option to `ParserOptions` with a safe default, and enforces it across all recursive parser methods (`ParseSelectionSet`, `ParseValueLiteral`, `ParseObject`, `ParseList`, `ParseTypeReference`, etc.). When the limit is exceeded, a catchable `SyntaxException` is thrown instead of overflowing the stack. There is no application-level workaround. `StackOverflowException` cannot be caught in .NET. The only mitigation is to upgrade to a patched version. Operators can reduce (but not eliminate) risk by limiting HTTP request body size at the reverse proxy or load balancer layer, though the smallest crashing payload (40 KB) is well below most default body size limits and is highly compressible (~few hundred bytes via gzip).

Deeper analysisAI

CVE-2026-40324 affects Hot Chocolate, an open-source GraphQL server for .NET, specifically versions prior to 12.22.7, 13.9.16, 14.3.1, and 15.1.14. The vulnerability resides in the recursive descent parser `Utf8GraphQLParser`, which lacks a recursion depth limit. A crafted GraphQL document featuring deeply nested selection sets, object values, list values, or list types—possible with payloads as small as 40 KB—triggers a `StackOverflowException`. This exception is uncatchable in .NET, causing immediate termination of the entire worker process and disrupting all in-flight HTTP requests, background `IHostedService` tasks, and open WebSocket subscriptions.

The attack requires no authentication or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, score 9.1) and can be executed by any remote attacker with network access to the GraphQL endpoint. Exploitation occurs before validation rules like `MaxExecutionDepth`, complexity analyzers, persisted query allow-lists, or custom `IDocumentValidatorRule` implementations, as `Utf8GraphQLParser.Parse` runs first. The `MaxAllowedFields=2048` limit is ineffective against these payloads, which contain few fields. Successful exploitation results in denial of service, forcing the orchestrator (e.g., Kubernetes, IIS) to restart the process.

Patched versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14 introduce a `MaxAllowedRecursionDepth` option in `ParserOptions` with a safe default, enforced across recursive methods like `ParseSelectionSet`, `ParseValueLiteral`, `ParseObject`, `ParseList`, and `ParseTypeReference`. Exceeding the limit throws a catchable `SyntaxException` instead of stack overflow. There is no application-level workaround, as `StackOverflowException` cannot be caught; upgrading is required. Operators can partially mitigate by limiting HTTP request body size at reverse proxies or load balancers, though the 40 KB payloads are compressible to a few hundred bytes via gzip and often below defaults. Fix details are in GitHub commits such as 08c0caa42ca33c121bbed49d2db892e5bf6fb541 and pull request #9528.

Details

CWE(s): CWE-674

CVEs Like This One

CVE-2026-3520Shared CWE-674

CVE-2025-70955Shared CWE-674

CVE-2026-33508Shared CWE-674

CVE-2026-1069Shared CWE-674

CVE-2026-31899Shared CWE-674

CVE-2026-33908Shared CWE-674

CVE-2026-25048Shared CWE-674

CVE-2026-41636Shared CWE-674

CVE-2026-32944Shared CWE-674

CVE-2026-39376Shared CWE-674

References

https://github.com/ChilliCream/graphql-platform/commit/08c0caa42ca33c121bbed49d2db892e5bf6fb541
security-advisories@github.com
https://github.com/ChilliCream/graphql-platform/commit/4cbaf67d366f800fc1e484bc5c06dfcf27b45023
security-advisories@github.com
https://github.com/ChilliCream/graphql-platform/commit/b185eb276c9ee227bd44616ff113be7f01a66c69
security-advisories@github.com
https://github.com/ChilliCream/graphql-platform/commit/b9271e6a500484c002fd528dcd34d1a9b445480f
security-advisories@github.com
https://github.com/ChilliCream/graphql-platform/pull/9528
security-advisories@github.com
https://github.com/ChilliCream/graphql-platform/pull/9530
security-advisories@github.com
https://github.com/ChilliCream/graphql-platform/pull/9531
security-advisories@github.com
https://github.com/ChilliCream/graphql-platform/releases/tag/12.22.7
security-advisories@github.com
https://github.com/ChilliCream/graphql-platform/releases/tag/13.9.16
security-advisories@github.com
https://github.com/ChilliCream/graphql-platform/releases/tag/14.3.1
security-advisories@github.com
https://github.com/ChilliCream/graphql-platform/releases/tag/15.1.14
security-advisories@github.com
https://github.com/ChilliCream/graphql-platform/security/advisories/GHSA-qr3m-xw4c-jqw3
security-advisories@github.com