๐Ÿ” CVE Alert

CVE-2026-59803

HIGH 7.5

rpcx - Denial of Service via Gzip Decompression Bomb in Wire Protocol

CVSS Score
7.5
EPSS Score
0.4%
EPSS Percentile
33th

rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode (protocol/message.go). When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in size guard, protocol.MaxMessageLength, is checked against the compressed on-the-wire frame length, not the decompressed size, so it provides no protection. Because decoding (and decompression) occurs in readRequest before authentication, a single unauthenticated connection can send a small (under 2 MB) gzip-compressed message that expands to gigabytes of heap allocation, leading to out-of-memory conditions and service unavailability.

CWE CWE-409
Vendor smallnest
Product rpcx
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for smallnest rpcx

Be the first to know when new high vulnerabilities affecting smallnest rpcx are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

smallnest / rpcx
0 โ‰ค 1.9.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/smallnest/rpcx/issues/942 github.com: https://github.com/smallnest/rpcx/pull/943 github.com: https://github.com/smallnest/rpcx/commit/047aec18efa7d037105e2b72c36dd2ae05e1acc6 vulncheck.com: https://www.vulncheck.com/advisories/rpcx-denial-of-service-via-gzip-decompression-bomb-in-wire-protocol

Credits

George Chen