CVE-2026-62351 in TDengine
Summary
by MITRE • 07/15/2026
TDengine is a time-series database optimized for Internet of Things devices. Prior to 3.4.1.15, source/libs/transport/src/transComm.c transDecompressMsg() read STransCompMsg.contLen when pHead->comp == 1 without first validating that the RPC packet contained the 8-byte STransCompMsg structure, causing an unauthenticated out-of-bounds read, uncontrolled allocation, integer underflow, and server crash. This issue is fixed in version 3.4.1.15.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability exists within TDengine's time-series database implementation where the transDecompressMsg function in source/libs/transport/src/transComm.c fails to validate the presence of a required 8-byte STransCompMsg structure before attempting to read the contLen field. This flaw occurs specifically when pHead->comp equals 1, indicating compressed data transmission, but without proper validation of the packet structure. The absence of input validation creates multiple security and stability risks that can be exploited by unauthorized actors.
This vulnerability represents a classic case of improper input validation leading to memory safety issues and system instability. The flaw allows for an out-of-bounds read condition where the application attempts to access memory beyond the allocated buffer boundaries when reading the contLen field. This type of vulnerability falls under CWE-129, which addresses insufficient input validation, and more specifically aligns with CWE-125 for out-of-bounds read conditions. The issue also manifests as an uncontrolled allocation problem where the system may attempt to allocate memory based on invalid or corrupted data values.
The operational impact of this vulnerability extends beyond simple memory corruption to include potential server crashes and denial of service conditions. When an attacker crafts a malicious RPC packet with comp flag set to 1 but without the proper STransCompMsg structure, the server will attempt to read from memory locations that may not contain valid data or may be improperly sized. This results in integer underflow conditions that can cause unpredictable behavior including application crashes, memory corruption, and potentially system instability that affects the availability of the time-series database service.
The security implications are particularly concerning for IoT environments where TDengine is commonly deployed, as this vulnerability could allow unauthenticated attackers to disrupt services without requiring any credentials or privileged access. The flaw directly relates to ATT&CK technique T1499.004 which covers network denial of service attacks, and T1210 which involves exploitation of remote services through improper input handling. Organizations using TDengine in production environments face significant risk of service disruption and potential data integrity issues when this vulnerability remains unpatched.
Mitigation strategies should focus on immediate patching to version 3.4.1.15 or later where the validation has been implemented. Additionally, network segmentation and access controls should be strengthened to limit exposure to potentially malicious actors. Monitoring systems should be enhanced to detect unusual RPC packet patterns that might indicate exploitation attempts. The fix implemented in version 3.4.1.15 demonstrates proper defensive programming practices by ensuring that all required data structures are validated before any field access occurs, preventing the cascading effects of invalid memory access patterns that could lead to more severe consequences including code execution or data breach scenarios.