CVE-2026-6948

Summary

Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel.

This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.

Affected Software

VendorProductVersion RangeStatus
Rapid7Velociraptor0 < 0.76.4affected
Rapid7Velociraptor0 < 0.75.9affected

Weaknesses

  • CWE-770: CWE-770 Allocation of resources without limits or throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References