Low severity3.6NVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2026-11330

Description

A use-after-free vulnerability in thedotmack claude-mem allows local attackers to cause denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free vulnerability in thedotmack claude-mem allows local attackers to cause denial of service.

Vulnerability

A weakness exists in the computeObservationContentHash function within src/services/sqlite/observations/store.ts in thedotmack claude-mem up to version 11.0.1. This vulnerability stems from the use of a weak hashing algorithm that can lead to collisions. The attack requires local execution and is rated as having high complexity and being difficult to exploit.

Exploitation

An attacker with local access to the affected system can trigger this vulnerability. The exploit involves manipulating input data to the computeObservationContentHash function in a way that causes hash collisions due to the weak hashing mechanism. The exact sequence of steps is not detailed but relies on the difficulty of exploiting the weak hash.

Impact

The primary impact of this vulnerability is a denial of service. By causing hash collisions, an attacker can disrupt the normal operation of the claude-mem application. The available references do not indicate that this vulnerability leads to information disclosure or remote code execution.

Mitigation

This issue is resolved in claude-mem version 12.0.0, released on or before June 5, 2026. Upgrading to version 12.0.0 or later is recommended to mitigate this vulnerability. The specific patch commit is f32fda8b35e9fe9329f87da65c31149362a03f97 [4].

References

Merge branch 'pr-1494' into integration/validation-batch · thedotmack/claude-mem@f32fda8

AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Thedotmack/Claude Memreferences2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=11.0.1

Patches

f32fda8b35e9

Merge branch 'pr-1494' into integration/validation-batch

https://github.com/thedotmack/claude-memAlex NewmanApr 6, 2026via nvd-ref

commit PR #1494

2 files changed · +11 −1

src/services/sqlite/observations/store.ts+1 −1 modified

@@ -22,7 +22,7 @@ export function computeObservationContentHash(
   narrative: string | null
 ): string {
   return createHash('sha256')
-    .update((memorySessionId || '') + (title || '') + (narrative || ''))
+    .update([memorySessionId || '', title || '', narrative || ''].join('\x00'))
     .digest('hex')
     .slice(0, 16);
 }

tests/sqlite/data-integrity.test.ts+10 −0 modified

@@ -69,6 +69,16 @@ describe('TRIAGE-03: Data Integrity', () => {
       expect(hash.length).toBe(16);
     });
 
+    it('computeObservationContentHash avoids collision from field boundary ambiguity', () => {
+      // These tuples would collide without a delimiter between fields
+      const hash1 = computeObservationContentHash('session-abc', 'debug log', '');
+      const hash2 = computeObservationContentHash('session-ab', 'cdebug log', '');
+      const hash3 = computeObservationContentHash('session-', 'abcdebug log', '');
+      const hash4 = computeObservationContentHash('', 'session-abcdebug log', '');
+      const hashes = new Set([hash1, hash2, hash3, hash4]);
+      expect(hashes.size).toBe(4);
+    });
+
     it('storeObservation deduplicates identical observations within 30s window', () => {
       const memId = createSessionWithMemoryId(db, 'content-dedup-1', 'mem-dedup-1');
       const obs = createObservationInput({ title: 'Same Title', narrative: 'Same Narrative' });

Vulnerability mechanics

Root cause

"The computeObservationContentHash function uses weak hashing by concatenating fields without proper delimiters, leading to potential hash collisions."

Attack vector

An attacker with local access must trigger the computeObservationContentHash function. This function is part of the Observation Content Hash Handler component. By manipulating the input to this function, an attacker can cause hash collisions, leading to unintended data manipulation or integrity issues. The attack requires high complexity and is difficult to exploit.

Affected code

The vulnerability resides in the computeObservationContentHash function located in the file src/services/sqlite/observations/store.ts. The fix involves modifying this function to correctly delimit concatenated fields, as shown in the commit associated with patch ID 4914213 [patch_id=4914213].

What the fix does

The patch modifies the computeObservationContentHash function to use a null-byte delimiter ('\x00') when joining the memorySessionId, title, and narrative fields. This change prevents hash collisions that could arise from ambiguous field boundaries, ensuring that distinct observations produce unique hashes. A new test case was added to verify that previously ambiguous inputs now generate distinct hashes [patch_id=4914213].

Preconditions

inputLocal access to the system is required.

Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.234
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000