CVE-2026-1301 in Open62541
Summary
by MITRE • 02/05/2026
In builds with PubSub and JSON enabled, a crafted JSON message can cause the decoder to write beyond a heap-allocated array before authentication, reliably crashing the process and corrupting memory.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/06/2026
This vulnerability exists in systems that implement PubSub functionality with JSON message handling capabilities. The flaw manifests when processing specially crafted JSON messages that trigger improper bounds checking during the decoding process. The vulnerability is particularly concerning because it occurs before authentication mechanisms are fully engaged, meaning that an attacker can exploit it without providing valid credentials or access tokens. The technical implementation involves a heap-based buffer overflow condition where the JSON decoder attempts to write data beyond the allocated memory boundaries of an array structure. This memory corruption occurs during the initial parsing phase of the message processing pipeline, making it a critical pre-authentication vulnerability that can lead to immediate process termination and potential memory state corruption.
The operational impact of this vulnerability extends beyond simple denial of service scenarios. While the primary effect is reliable process crashing, the memory corruption aspect introduces potential for more severe consequences including information disclosure, arbitrary code execution, or system instability. Attackers can craft specific JSON payloads that will consistently trigger the buffer overflow condition, making this vulnerability highly exploitable in automated attack scenarios. The vulnerability affects systems where PubSub messaging is enabled alongside JSON parsing capabilities, which are common in distributed systems, message brokers, and IoT platforms that rely on these communication patterns. The pre-authentication nature means that any system with this configuration is immediately vulnerable to exploitation without requiring legitimate access credentials, significantly expanding the attack surface and making this a critical security concern for production environments.
Mitigation strategies for this vulnerability should focus on implementing robust input validation and bounds checking mechanisms within the JSON parsing libraries used by the PubSub system. The recommended approach includes updating to patched versions of the affected components, implementing strict input sanitization routines, and adding memory protection mechanisms such as stack canaries or address space layout randomization. Organizations should also consider implementing network segmentation and access controls to limit exposure to this vulnerability, particularly in environments where the affected systems are publicly accessible. Additionally, monitoring and logging should be enhanced to detect unusual JSON message patterns that might indicate exploitation attempts, as the vulnerability's deterministic nature makes detection through anomaly-based systems particularly effective. This vulnerability aligns with CWE-121 heap-based buffer overflow and could potentially map to ATT&CK technique T1059.007 for command and scripting interpreter execution if exploited further, though its primary classification remains as a memory corruption vulnerability affecting system stability and availability.