Undertow Out-of-Memory Error Vulnerability Leading to Remote Denial-of-Service

Vulnerability

A denial-of-service vulnerability has been identified in Undertow. When servlets use a method that calls HttpServletRequestImpl.getParameterNames(), large parameter names from clients can trigger an OutOfMemoryError. This flaw allows unauthorized users to cause remote denial-of-service attacks by sending requests with oversized parameter names, leading to excessive memory consumption and potential application crashes.

Impact

Exploitation of this vulnerability causes a remote denial-of-service condition, where the application runs out of memory and can crash or become unresponsive. Additionally, according to Red Hat, this vulnerability could allow an attacker to read memory or files, modify memory, or execute unauthorized code or commands.

Added: Jan 30, 2026, 3:19 PM

Updated: Jan 30, 2026, 3:19 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.6

remediation

0.0

relevance

2.6

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

2.5

exploitability

7.6

remediation

0.0

relevance

2.6

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Undertow Out-of-Memory Error Vulnerability Leading to Remote Denial-of-Service

Vulnerability

Impact

Affected Products

Red Hat Undertow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating