Medium severity4.9NVD Advisory· Published May 4, 2026· Updated May 4, 2026

CVE-2026-6948

Description

Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel.

This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.

Affected products

Velocidex/Velociraptorinferred
Range: <0.76.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

docs.velociraptor.app/announcements/advisories/cve-2026-6948/nvd

News mentions

Thus Spoke…The Gentlemen
Check Point Research · May 13, 2026
ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories
The Hacker News · Apr 30, 2026
PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian Networks
The Hacker News · Apr 27, 2026
From Bulk Export to AI-ready Security Workflows: Introducing Rapid7’s Open-Source MCP Server and Agent Skill
Rapid7 Blog · Apr 21, 2026
EDR killers explained: Beyond the drivers
ESET WeLiveSecurity · Mar 19, 2026

cvss	0.319
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000