Cyber Posture

CVE-2026-43506

Medium

Published: 01 May 2026

Published
01 May 2026
Modified
01 May 2026
KEV Added
Patch
01 May 2026
CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0006 18.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-43506 is a medium-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Prosody Prosody. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation requires timely patching of the Prosody memory leak vulnerability to prevent exploitation via unauthenticated connections.

SC-5 Denial-of-service Protection good match
prevent

Denial-of-service protection implements mechanisms to counter resource exhaustion attacks like repeated unauthenticated connections causing memory leaks.

SC-6 Resource Availability good match
prevent

Resource availability protects memory and other system resources from exhaustion by limiting and controlling allocations during excessive unauthenticated connection attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Memory leak in public-facing XMPP server exploited via repeated unauthenticated connections to exhaust resources and deny service availability, directly enabling application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory exhaustion caused by memory leaks from unauthenticated connections.

Deeper analysisAI

CVE-2026-43506 is a memory leak vulnerability in Prosody, an open-source XMPP server, affecting versions prior to 0.12.6 as well as versions 1.0.0 through 13.0.0 before 13.0.5. The flaw, classified under CWE-401 (Memory Leak), enables denial of service through memory exhaustion triggered by unauthenticated connections. It received a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity with low availability impact.

Any unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. By repeatedly establishing unauthenticated connections, the attacker causes progressive memory leaks, eventually exhausting server resources and disrupting service availability for legitimate users.

The official Prosody security advisory (https://prosody.im/security/advisory_735dd9d3/) and the OSS-Security mailing list announcement (https://www.openwall.com/lists/oss-security/2026/05/01/5) recommend upgrading to Prosody 0.12.6 or 13.0.5, which resolve the memory leak issue in handling unauthenticated connections. No additional workarounds are specified in the provided references.

Details

CWE(s)
CWE-401

Affected Products

prosody
prosody
≤ 0.12.6 · 13.0.0 — 13.0.5

CVEs Like This One

CVE-2026-43507Same product: Prosody Prosody
CVE-2026-4247Shared CWE-401
CVE-2026-20105Shared CWE-401
CVE-2025-25199Shared CWE-401
CVE-2026-3650Shared CWE-401
CVE-2026-20012Shared CWE-401
CVE-2026-33856Shared CWE-401
CVE-2025-29910Shared CWE-401
CVE-2026-7379Shared CWE-401
CVE-2026-20014Shared CWE-401

References