CVE-2026-42542
Description
TDengine 3.4.0.0-3.4.1.5 allows unauthenticated remote attackers to crash the taosd server via a crafted RPC packet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TDengine 3.4.0.0-3.4.1.5 allows unauthenticated remote attackers to crash the taosd server via a crafted RPC packet.
Vulnerability
TDengine versions 3.4.0.0 through 3.4.1.5 are vulnerable to a denial-of-service condition. An unauthenticated remote attacker can crash the taosd server process by sending a single crafted RPC packet. The vulnerability exists in the uvConnMayGetUserInfo() function within source/libs/transport/src/transSvr.c [2].
Exploitation
An attacker can exploit this vulnerability by sending a single, specially crafted RPC packet to the taosd server. No authentication, credentials, or prior session state are required for exploitation. The vulnerability is triggered by an integer underflow when calculating a copy size due to mixed-type subtraction between a signed int32_t and an unsigned size_t when the len field is less than sizeof(STransMsgHead) + offset [2].
Impact
Successful exploitation of this vulnerability allows an unauthenticated remote attacker to crash the taosd server process. This results in a denial-of-service (DoS) condition, rendering the time-series database unavailable for its intended use.
Mitigation
TDengine version 3.4.1.6, released on 2026-06-10, addresses this vulnerability [1]. Users are advised to upgrade to version 3.4.1.6 or later to mitigate this risk. No workarounds are specified in the available references.
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"An integer underflow occurs in uvConnMayGetUserInfo() when calculating the memcpy size due to mixed-type subtraction between a signed int32_t and an unsigned size_t."
Attack vector
An unauthenticated remote attacker can trigger a denial-of-service by sending a single crafted RPC packet to the taosd server. The packet must have the withUserInfo flag set and a msgLen value that is less than the expected size for user information, causing an integer underflow. This results in an excessively large size being passed to memcpy, leading to a segmentation fault and server crash [ref_id=1].
Affected code
The vulnerability resides in the uvConnMayGetUserInfo function located in source/libs/transport/src/transSvr.c. Specifically, the issue occurs on line 860 during a memcpy operation where the size calculation involves a mixed-type subtraction that can lead to an integer underflow [ref_id=1].
What the fix does
The fix introduces a bounds check at the beginning of the uvConnMayGetUserInfo function. This check ensures that if the withUserInfo flag is set, the provided msgLen is sufficient to contain the expected user information, including the size of STransMsgHead and the offset for user data. If the length is insufficient, the function returns early, preventing the underflow and subsequent crash [ref_id=1].
Preconditions
- authNo credentials or prior session state are required.
- networkThe attacker must be able to send network packets to the taosd server.
- inputThe attacker must craft an RPC packet with specific fields: version=3, withUserInfo=1, and a msgLen smaller than sizeof(STransMsgHead) + offset.
Reproduction
Craft an STransMsgHead with withUserInfo=1, version=3, and msgLen=sizeof(STransMsgHead)+10. Append 10 arbitrary bytes of body. Compute the CRC32 over the entire buffer and store it in magicNum (network byte order). Send this packet to the RPC port of the taosd server. The server will crash [ref_id=1].
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.