CVE-2018-11793
Description
A stack overflow in Apache Mesos JSON parsing allows remote denial of service by sending deeply nested JSON payloads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack overflow in Apache Mesos JSON parsing allows remote denial of service by sending deeply nested JSON payloads.
Vulnerability
A stack overflow vulnerability exists in the JSON parser of Apache Mesos versions before 1.4.3, 1.5.2, 1.6.2, and 1.7.0 (specifically all versions prior to 1.4.x, 1.4.0 through 1.4.2, 1.5.0 through 1.5.1, 1.6.0 through 1.6.1, and 1.7.0). The flaw is triggered when the parser processes a JSON payload containing deeply nested structures, causing unbounded recursion that overflows the call stack [1][2].
Exploitation
An attacker does not require authentication or special privileges; the vulnerability can be exploited remotely by sending a crafted JSON message to a Mesos master. No user interaction is needed beyond the master receiving the payload. The attack consists of delivering a JSON request with excessive nesting depth, which the parser attempts to recursively process until the stack overflows [1][2].
Impact
Successful exploitation causes a denial of service (DoS) of Mesos masters, rendering the entire Mesos-controlled cluster inoperable. The impact is limited to availability; there is no indication of confidentiality or integrity compromise [1][2].
Mitigation
Apache Mesos has released patched versions: 1.4.3, 1.5.2, 1.6.2, and 1.7.1. Users should upgrade to these or later versions immediately. No workarounds are described in the available references, and no listed CVE in KEV is present [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.mesos:mesosMaven | < 1.4.3 | 1.4.3 |
org.apache.mesos:mesosMaven | >= 1.5.0, < 1.5.2 | 1.5.2 |
org.apache.mesos:mesosMaven | >= 1.6.0, < 1.6.2 | 1.6.2 |
org.apache.mesos:mesosMaven | >= 1.7.0, < 1.7.1 | 1.7.1 |
Affected products
2- Apache Software Foundation/Apache Mesosv5Range: Apache Mesos pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.1, 1.6.0 to 1.6.1, 1.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-p2xq-vcm7-xjj6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11793ghsaADVISORY
- www.securityfocus.com/bid/107281ghsavdb-entryx_refsource_BIDWEB
- lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844%40%3Cdev.mesos.apache.org%3Emitrex_refsource_MISC
- lists.apache.org/thread.html/9be975c53e5ad612c7e0af39f5b88837fbfbc32108e587d3d8499844@%3Cdev.mesos.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.