OSEC-2026-09

See a problem?
Import Source
https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-09.json
JSON Data
https://api.osv.dev/v1/vulns/OSEC-2026-09
Published
2026-05-28T08:59:44Z
Modified
2026-05-29T14:30:04.495501323Z
Severity
  • 4.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Albatross-console memory exhaustion
Details

Albatross-console doesn't properly terminate when looping over the ringbuffer. This leads to denial of service and memory exhaustion.

Scenario

A user that has access to albatross-console either via the unix domain socket (requires root:albatross by default) or via albatross-tls-endpoint (requires a valid certificate and a running unikernel) can send a specially crafted query for console logs that will make albatross-console hang and eventually exhaust memory.

Detailed description

Albatross-console receives console messages from running unikernels via named pipes. These console messages are stored in memory in a ring buffer with a non-configurable default size of 1024 lines. A client query the console output of a unikernel with either a count or a timestamp for limiting the output. A bug in the ring buffer logic exists so that when the ring buffer is full (has 1024 lines) the termination logic doesn't work properly.

When using a timestamp to limit then a timestamp earlier than all recorded console output in the ring buffer bypasses the termination logic, and albatross-console will repeatedly loop over the ring buffer accumulating the entries in a list indefinitely eventually exhausting memory.

If using a count the termination logic doesn't take into consideration how many entries there actually are if the ring buffer is full. Using a very large or negative count will make albatross-console loop over the ring buffer accumulating entries in a list until the length of the list equals the requested count (an OCaml int). As this could be max_int or -1 this would exhaust memory, too.

Scope

The bug was introduced in 8a113e5ce07f062c701abb1c09ba3ce3147db867 and affected versions are v1.0.0 through v2.7.1. The vulnerability is only exploitable to users who can send console subscription commands to unikernels that produce sufficient log output to fill the ring buffer (1024 lines). It is not exploitable by unauthorized clients.

Database specific 
{
    "cwe": [
        "CWE-770",
        "CWE-405"
    ],
    "human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2026/OSEC-2026-09.md",
    "osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2026/OSEC-2026-09.json"
}
References
Credits
    • Reynir Björnsson - REPORTER
    • Reynir Björnsson - REMEDIATION_DEVELOPER
    • Edwin Török - COORDINATOR

Affected packages

opam / albatross

Package

Name
albatross
Purl
pkg:opam/albatross

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
2.7.2
Type
GIT
Repo
https://git.robur.coop/robur/albatross.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e07de2a904133e633773302d335ceb1f2c9945da

Affected versions

1.*
1.0.1
1.1.0
1.1.1
1.2.0
1.3.0
1.3.1
1.4.0
1.4.1
1.4.2
1.4.3
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
2.*
2.0.0
2.1.0
2.2.0
2.3.0
2.4.0
2.4.1
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2
2.7.0
2.7.1

Ecosystem specific 

{
    "opam_constraint": "albatross {>= \"1.0.0\" & < \"2.7.2\"}"
}

Database specific

source 
"https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-09.json"