Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel.
This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.
{
"cwe_ids": [
"CWE-770"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6948.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "0.75.9"
}
],
"source": "AFFECTED_FIELD"
}
],
"cna_assigner": "rapid7"
}