CVE-2022-29866
Description
OPC UA .NET Standard Stack 1.04.368 allows a remote attacker to exhaust the memory resources of a server via a crafted request that triggers Uncontrolled Resource Consumption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Uncontrolled resource consumption in OPC UA .NET Standard Stack 1.04.368 allows remote attackers to exhaust server memory via crafted requests.
The OPC UA .NET Standard Stack versions prior to the fix for CVE-2022-29866 contain an uncontrolled resource consumption vulnerability [2]. The root cause is improper handling of specially crafted OPC UA requests, which can lead to excessive memory allocation on the server without proper bounds checking.
An attacker can exploit this vulnerability remotely over the network without authentication [3]. By sending a series of malicious requests, the attacker triggers memory exhaustion, causing the server to become unresponsive or crash. The attack does not require any special privileges or prior knowledge of the system.
Successful exploitation results in a denial of service (DoS) condition, rendering the OPC UA server unavailable for legitimate clients [2]. This can disrupt industrial control systems and other critical infrastructure that rely on OPC UA for communication.
The OPC Foundation has released a security advisory and recommends upgrading to the latest version of the .NET Standard Stack [3]. Users should apply the patch immediately to mitigate the risk. No workarounds are available.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OPCFoundation.NetStandard.Opc.Ua.CoreNuGet | < 1.4.368.58 | 1.4.368.58 |
Affected products
2- OPC UA/OPC UA .NET Standard Stackdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-6fp8-cxc9-4fr9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-29866ghsaADVISORY
- files.opcfoundation.org/SecurityBulletins/OPC%20Foundation%20Security%20Bulletin%20CVE-2022-29866.pdfghsax_refsource_MISCWEB
- github.com/OPCFoundation/UA-.NETStandard/security/advisories/GHSA-6fp8-cxc9-4fr9ghsaWEB
- opcfoundation.org/security/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.