An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length or array size. An attacker can declare an arbitrarily large string (up to ~3.9 GB) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configuration. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
CVE-2026-33592
Score 7.5 from GitHub Security Advisory (severity: HIGH) published 2026-07-02. a secondary CVSS source baseline 7.5; sources differ by 0.0.
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 7.5
- EG Score
- 7.5(high)
- EPSS
- 30.8%
- KEV
- Not listed
Published
July 2, 2026
Last Modified
July 2, 2026
Advisory Details (3)
Auto-updated Jul 2, 2026fix(server): Enforce default message and chunk size limits to prevent DoS
Patch available: open62541/open62541 v1.4.17 (PR #8142 merged 2026-06-23)
https://github.com/open62541/open62541/pull/8142/changes/d253818d6c5e870e1db0e360b18138c8bdc809aefix(server): Enforce default message and chunk size limits to prevent DoS
Patch available: open62541/open62541 v1.4.17 (PR #8142 merged 2026-06-23)
https://github.com/open62541/open62541/pull/8142GitHub - open62541/open62541: Open source implementation of OPC UA (OPC Unified Architecture) aka IEC 62541 licensed under Mozilla Public License v2.0 · GitHub
https://github.com/open62541/open62541Vendor Advisories for CVE-2026-33592(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 26× in last 7d / 26× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-06 20:09 UTCEG score recompute
- 2026-07-06 20:09 UTCGHSA enrichment
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 08:17 UTCEG score recompute
- 2026-07-06 08:17 UTCGHSA enrichment
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 20:25 UTCEG score recompute
- 2026-07-05 20:25 UTCGHSA enrichment
- 2026-07-05 08:33 UTCEG score recompute
- 2026-07-05 08:33 UTCGHSA enrichment
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 20:41 UTCEG score recompute
- 2026-07-04 20:41 UTCGHSA enrichment
- 2026-07-04 08:50 UTCEG score recompute
- 2026-07-04 08:49 UTCGHSA enrichment
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-03 20:58 UTCEG score recompute
- 2026-07-03 20:58 UTCGHSA enrichment
- 2026-07-03 09:06 UTCEG score recompute
- 2026-07-03 09:06 UTCGHSA enrichment
- 2026-07-02 21:14 UTCEG score recompute
- 2026-07-02 21:14 UTCGHSA enrichment
- 2026-07-02 09:23 UTCEG score recompute
Show 1 moreShow fewer
- 2026-07-02 09:23 UTCNVD updatefirst tracked
Frequently asked(5)
What is CVE-2026-33592?
When was CVE-2026-33592 disclosed?
Is CVE-2026-33592 actively exploited?
What is the CVSS score of CVE-2026-33592?
How do I remediate CVE-2026-33592?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-33592
Is Your Infrastructure Affected by CVE-2026-33592?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.