CVE-2026-6948

MEDIUM 4.9

Unbounded Memory Allocation in VQLResponse Result-Set Writer

CVSS Score

4.9

EPSS Score

0.0%

EPSS Percentile

0th

Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel. This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.

CWE	CWE-770
Vendor	rapid7
Product	velociraptor
Published	May 3, 2026

Stay Ahead of the Next One

Get instant alerts for rapid7 velociraptor

Be the first to know when new medium vulnerabilities affecting rapid7 velociraptor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

Rapid7 / Velociraptor

0 < 0.76.4 0 < 0.75.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

docs.velociraptor.app: https://docs.velociraptor.app/announcements/advisories/cve-2026-6948/

Credits

We thank Faisal Alhumaid ([email protected]) for reporting this issue responsibly. We also thank Mika Jarvinen ([email protected]) for reporting this issue responsibly at the same time.