On Tue, May 12, 2026 at 2:13 PM Sebastian Pipping <[email protected]> wrote:
> > From my perspective CVE-2026-44927 is a low-severity security issue > > that would be hard to exploit in reality since it requires an actual > > 2gb+ input to even trigger. For example, in the context of PHP (which > > uses the lib) you'd hit the memory limit long before this even triggers. > > Therefore, this is "Low" severity from my perspective. Given the input > > size, it definitely doesn't have a remote vector. > > I have no problem with this being considering "low severity" based > on the payload size needed, but this /does/ have a remote vector that is > independent of size constraints, as far as I am concerned. I just > checked the definition of a remote attack vector a la CVSS [3][4] and > it's not "adjacent", not "local", and not "physical": I see nothing > stopping applications from parsing URI strings read "from the wire", > directly or indirectly, the same way that XMPP parses XML from the wire. > Am I missing something here? > That's a fair point, I'd still lean toward "low", perhaps low-medium in light of your comment. Parsing streaming URI strings from a wire without any cap is a bit unusual, but stranger things have happened. As you pointed out from cvvs guide, it doesn't care about that. -- Ilia Alshanetsky Technologist, CTO, Entrepreneur E: [email protected] T: @iliaa B: http://ilia.ws
