Fleet, Denial of Service, CVE-2024-XXXX (Critical)

Listen to this Post

How the mentioned CVE works

The vulnerability resides in Fleet’s gRPC Launcher endpoint, which handles communication from enrolled host nodes. The endpoint processes a gRPC message that includes a `log_type` field, intended to categorize log data sent by the launcher. Due to insufficient input validation and a lack of proper error recovery in the gRPC server’s request handler, an unexpected `log_type` value triggers a fatal condition. Instead of returning an error to the client, the server process executes a panic or unrecoverable error routine, causing the entire Fleet server process to terminate immediately. The gRPC server lacks a recover mechanism to catch panics from individual request handlers, so a single malformed request cascades into a full process crash. An attacker must first authenticate with a valid Launcher node key, a credential used by authorized hosts to communicate with the Fleet server. Once authenticated, the attacker crafts a gRPC request with a malformed or out-of-range `log_type` value. Upon receipt, the server attempts to process the value, encounters an unhandled case, and crashes. Since the crash is instantaneous and the gRPC server does not automatically restart, all ongoing services—including host connections, MDM enrollments, and API consumers—are disrupted. The vulnerability is repeatable, allowing an attacker to script consecutive crash requests, preventing the server from stabilizing even if restarted manually. The flaw exists because the handler for the Launcher endpoint fails to validate inputs against an expected enum or allowed set before processing, and the server’s error handling does not isolate failures to individual requests. No workaround exists aside from upgrading to a patched version where the endpoint safely rejects invalid inputs and recovers from errors without terminating the process.
Platform: Fleet
Version: Affected versions
Vulnerability: DoS via gRPC
Severity: Critical
date: 2026-03-31

Prediction: Patch already available

What Undercode Say:

Simulate a malformed gRPC request to the Launcher endpoint
grpcurl -insecure -d '{"log_type": 999}' \
-H "Authorization: Bearer $LAUNCHER_KEY" \
$FLEET_SERVER:443 fleet.Launcher/IngestLogs
Monitor Fleet server process stability
while true; do
pgrep -x "fleet" || echo "Server crashed at $(date)"
sleep 1
done

Exploit:

Authenticated attacker sends crafted gRPC request with invalid log_type value, triggering immediate server termination without error recovery.

Protection from this CVE

Upgrade Fleet to the patched version where input validation and graceful error handling are implemented in the gRPC Launcher endpoint.

Impact

Complete Fleet server crash, disrupting all connected hosts, MDM enrollments, API consumers, and resulting in persistent denial of service.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top