CVE-2026-41309
Published: 24 April 2026
Summary
CVE-2026-41309 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of uploaded image dimensions and headers to reject malformed inputs before decompression and resizing, preventing resource exhaustion.
Enforces limits on system resources like memory and CPU allocation during image processing to mitigate exhaustion from extreme pixel dimensions.
Provides protection against denial-of-service events including resource exhaustion triggered by specially crafted image uploads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The resource exhaustion vulnerability in public-facing image upload processing is directly exploited by an unauthenticated network attacker to cause application-level DoS via excessive memory/CPU consumption, mapping to T1499.004 Application or System Exploitation.
NVD Description
Open Source Social Network (OSSN) is open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable to resource exhaustion. An attacker can upload a specially crafted image with extreme pixel dimensions (e.g., $10000 \times 10000$ pixels). While…
more
the compressed file size on disk may be small, the server attempts to allocate significant memory and CPU cycles during the decompression and resizing process, leading to a Denial of Service (DoS) condition. It is highly recommended to upgrade to OSSN 9.0. This version introduces stricter validation of image dimensions and improved resource management during the processing phase. Those who cannot upgrade immediately can mitigate the risk by adjusting their `php.ini` settings to strictly limit `memory_limit` and `max_execution_time` and/or implementing a client-side and server-side check on image headers to reject files exceeding reasonable pixel dimensions (e.g., $4000 \times 4000$ pixels) before processing begins.
Deeper analysisAI
CVE-2026-41309 is a resource exhaustion vulnerability affecting Open Source Social Network (OSSN), an open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable due to inadequate validation during image upload processing. An attacker can upload a specially crafted image with extreme pixel dimensions, such as 10000 x 10000 pixels, which has a small compressed file size on disk but triggers excessive memory allocation and CPU usage during server-side decompression and resizing. This leads to a Denial of Service (DoS) condition, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and associated CWEs-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).
The vulnerability can be exploited by any unauthenticated attacker with network access to an OSSN instance that allows image uploads, requiring low complexity and no user interaction. Successful exploitation causes the server to consume significant resources, resulting in high-impact availability disruption and potential partial confidentiality impact from memory dumps, while leaving integrity unaffected.
Advisories recommend upgrading to OSSN version 9.0, which implements stricter image dimension validation and improved resource management during processing. For those unable to upgrade immediately, mitigations include configuring php.ini to enforce strict limits on memory_limit and max_execution_time, as well as adding client-side and server-side checks on image headers to reject files exceeding reasonable dimensions like 4000 x 4000 pixels before processing. Relevant details are available in the OSSN GitHub commit, issue tracker, and security advisory.
Details
- CWE(s)