{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-57220","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-06-24T02:21:33.810Z","datePublished":"2026-07-10T20:19:23.162Z","dateUpdated":"2026-07-10T20:19:23.162Z"},"containers":{"cna":{"title":"RabbitMQ: Stream listener does not enforce configured frame-size limit during authentication, permitting unauth'd mem-exhaust DoS","problemTypes":[{"descriptions":[{"cweId":"CWE-770","lang":"en","description":"CWE-770: Allocation of Resources Without Limits or Throttling","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-f364-87q5-j35q","tags":["x_refsource_CONFIRM"],"url":"https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-f364-87q5-j35q"},{"name":"https://github.com/rabbitmq/rabbitmq-server/pull/16171","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/pull/16171"},{"name":"https://github.com/rabbitmq/rabbitmq-server/pull/16173","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/pull/16173"},{"name":"https://github.com/rabbitmq/rabbitmq-server/commit/595ec28fa1621b1f2c28124e4e0466a8ad963547","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/commit/595ec28fa1621b1f2c28124e4e0466a8ad963547"},{"name":"https://github.com/rabbitmq/rabbitmq-server/commit/773a49c4921e8be990262a2d609c35916825679e","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/commit/773a49c4921e8be990262a2d609c35916825679e"},{"name":"https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.2.6","tags":["x_refsource_MISC"],"url":"https://github.com/rabbitmq/rabbitmq-server/releases/tag/v4.2.6"}],"affected":[{"vendor":"rabbitmq","product":"rabbitmq-server","versions":[{"version":">= 4.2.0, < 4.2.6","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-07-10T20:19:23.162Z"},"descriptions":[{"lang":"en","value":"RabbitMQ is a messaging and streaming broker. Prior to 4.2.6, the RabbitMQ stream listener does not enforce the configured stream frame-size limit while assembling frames during authentication and before Tune negotiation, allowing an unauthenticated remote client to declare oversized frame lengths and consume broker memory in rabbit_stream_core. This issue is fixed in version 4.2.6."}],"source":{"advisory":"GHSA-f364-87q5-j35q","discovery":"UNKNOWN"}}}}