CVE-2026-57220

Source
https://cve.org/CVERecord?id=CVE-2026-57220
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57220.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-57220
Aliases
  • GHSA-f364-87q5-j35q
Downstream
Published
2026-07-10T20:19:23.162Z
Modified
2026-07-15T01:49:20.467204482Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
RabbitMQ: Stream listener does not enforce configured frame-size limit during authentication, permitting unauth'd mem-exhaust DoS
Details

RabbitMQ is a messaging and streaming broker. Prior to 4.2.6, the RabbitMQ stream listener does not enforce the configured stream frame-size limit while assembling frames during authentication and before Tune negotiation, allowing an unauthenticated remote client to declare oversized frame lengths and consume broker memory in rabbitstreamcore. This issue is fixed in version 4.2.6.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57220.json"
}
References

Affected packages

Git / github.com/rabbitmq/rabbitmq-server

Affected ranges

Type
GIT
Repo
https://github.com/rabbitmq/rabbitmq-server
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "4.2.6"
        }
    ]
}

Affected versions

v4.*
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57220.json"