Primary

Context

Nmap Denial-of-Service Vulnerability via XML Entity Expansion

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Nmap version 7.70. This issue allows local attackers to crash the application by exploiting the XML scan import feature in ZenMap, Nmap's graphical user interface. The vulnerability arises from uncontrolled recursion caused by processing malicious XML files with nested entity definitions, leading to excessive resource consumption and application failure.

Impact

Exploitation of this vulnerability causes Nmap to crash and consume excessive system resources, leading to a system crash on Windows 7 32-bit.

Reproduction

To reproduce this vulnerability, create a crafted XML file with nested entity definitions that exploit exponential entity expansion. Save this file and then open it using ZenMap's scan import functionality. The application will crash after consuming a large amount of system resources.

Added: Apr 26, 2026, 10:37 PM

Updated: Apr 26, 2026, 10:37 PM

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

2.5

exploitability

5.6

remediation

7.7

relevance

6.8

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

2.5

exploitability

5.6

remediation

7.7

relevance

6.8

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Nmap Denial-of-Service Vulnerability via XML Entity Expansion

Vulnerability

Impact

Reproduction

Affected Products

Nmap

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating