Platform: Ziti Edge Router, Vulnerability Type: Unauthenticated Denial of Service, CVE-2026-40303 (Critical)

Listen to this Post

How CVE-2026-40303 Works

The vulnerability resides in the `GetSessionCookie` function, which handles “striped” (chunked) session cookies. It parses an attacker-controlled cookie chunk count value and uses it directly as the size for a slice allocation (make([]string, count)) with no upper bounds validation before any token or authentication checks. The function is invoked on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to cause the server to allocate massive amounts of memory. By sending a single crafted HTTP request containing a cookie header such as h3=__chunked__999999, the attacker can force the server to allocate a gigabyte-sized heap slice. This unbounded allocation leads to out-of-memory (OOM) termination of the proxy process or repeated goroutine panics. Sustained or concurrent requests cause the proxy to be completely unavailable for all users of all shares it serves.

dailycve form:
Platform: Ziti Edge Router
Version: 1.1.9 < 2.0.1
Vulnerability: Unbounded memory allocation
Severity: Critical
date: 2026-04-16
Prediction: Patch available 2026-04-23

What Undercode Say:

Simulate the attack (Conceptual)
curl -i -H "Cookie: h3=__chunked__999999" https://target-proxy/share

Exploit:

An attacker sends a single HTTP GET request to any OAuth-protected proxy share with a crafted `Cookie` header containing a large chunk count (e.g., h3=__chunked__999999). The `GetSessionCookie` function parses this value and allocates a slice of strings of that size, leading to immediate resource exhaustion.

Protection from this CVE

Update to Ziti Edge Router version `2.0.1` or later, where an upper bound validation has been implemented for the chunk count. Alternatively, deploy a Web Application Firewall (WAF) rule to block requests containing `__chunked__` followed by an excessively large numeric value.

Impact

Availability: High. A single request can cause OOM termination of the proxy process, making the entire service unavailable to all users of all shares it serves. Repeated attacks lead to continuous denial of service.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top