CVE-2026-39197
Description
Datadog Vector 0.54.0 suffers from a memory exhaustion denial-of-service via oversized or highly compressed HTTP/gRPC payloads due to missing size bounds enforcement.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Datadog Vector 0.54.0 suffers from a memory exhaustion denial-of-service via oversized or highly compressed HTTP/gRPC payloads due to missing size bounds enforcement.
Vulnerability
The vulnerability resides in Vector's source-side request handling, specifically within the /util/http/prelude.rs endpoint and related HTTP and gRPC ingest paths in Datadog Vector v0.54.0. The affected sources include http_server, source handling for Splunk HEC, OpenTelemetry HTTP, and gRPC decompression helpers. The issue occurs because the framework collects or decompresses request bodies before an effective expanded-size boundary is enforced. This allows a remote attacker to send a crafted request with an oversized or highly compressed payload that bypasses the configured request limit, leading to memory exhaustion [1].
Exploitation
An attacker must have network access to an exposed Vector ingest source that accepts the affected paths (e.g., HTTP, Splunk HEC, OpenTelemetry HTTP, or gRPC). No authentication is required if the source is left unprotected. The attacker sends a request with a compressed body that expands to a much larger size (e.g., via decompression bombs) or an oversized body that triggers collection before source-level validation. The payload must be syntactically valid enough to reach the body decoding path. Successive requests or parallel connections accelerate memory exhaustion [1].
Impact
Successful exploitation causes unbounded memory consumption in the Vector process, leading to denial of service. The process may become unresponsive, crash, or trigger host-level out-of-memory termination, depending on system limits. This can disrupt log and metric collection pipelines that rely on Vector [1].
Mitigation
No fixed version is disclosed in the available references. Administrators should restrict network exposure of Vector ingest sources to trusted clients only, enable authentication and TLS where supported, and consider deploy-level rate limiting or reverse-proxy inspection to filter oversized or suspicious payloads. If feasible, disable compression support on affected sources until a patch is available [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 0.54.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output-size cap on decompression and body buffering allows memory exhaustion before the configured request limit is enforced."
Attack vector
An attacker sends a crafted HTTP or gRPC request to an exposed Vector ingest source (e.g., http_server, Splunk HEC, OpenTelemetry HTTP, or an affected gRPC source). The request body is either oversized or highly compressed so that when decompressed it expands far beyond the configured size limit. Because the body is fully buffered or decompressed before the source-level size check is applied, the attacker can drive memory exhaustion. Authentication, TLS, and source exposure depend on deployment configuration, but the vulnerable boundary is the allocation or decompression step that happens before an effective decoded-size check [ref_id=1].
Affected code
The vulnerability resides in Vector's source-side request handling, specifically in the `/util/http/prelude.rs` endpoint and related HTTP/gRPC decompression helpers. Affected paths include HTTP source utilities, OpenTelemetry HTTP, Splunk HEC, Vector source handling, and gRPC decompression helpers. The framework collects the full request body before source-specific limits can reject it, and decompression helpers decode compressed attacker-controlled bytes with no output-size cap tied to the configured request limit [ref_id=1].
What the fix does
The advisory does not include a published patch. The recommended remediation is to enforce an effective decoded-size boundary before or during the buffering and decompression steps, rather than applying the configured request limit after the allocation has already occurred. Until a fix is available, operators should restrict network exposure of affected ingest sources and apply rate limiting or request size limits at a reverse proxy [ref_id=1].
Preconditions
- configAn affected Vector 0.54.0 ingest source (http_server, Splunk HEC, OpenTelemetry HTTP, or an affected gRPC source) must be enabled and network-accessible to the attacker.
- networkThe attacker must be able to send HTTP or gRPC requests to the exposed source.
- inputThe request body must be syntactically valid enough to reach the body decoding path for that source.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.