CVE-2026-6948 Unbounded Memory Allocation in VQLResponse Result-Set Writer

Publishedon 2026-04-28

CVSS · MEDIUM · 4.9 ⁄10 · CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Scoring scenario: GENERAL
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH

Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel.

This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.

Problem:

CWE-770: Allocation of Resources Without Limits or Throttling CWE-770

Impact:

CAPEC-130: Excessive Allocation CAPEC-130

Product Status:

Product Affected
Rapid7 Velociraptor on Linux
source repo
Default status is unaffected 		before 0.76.6
before 0.75.9

Credits:

We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly.

We also thank Mika Jarvinen (mika.jarvinen@kapsi.fi) for reporting this issue responsibly at the same time.

We also thank HE WEI(ギカク) for identifying and reporting an additional vulnerable code path related to this issue.

Timeline

  • 2026-04-20 Initial report by Faisal Alhumaid
  • 2026-04-20 Initial report by Mika Jarvinen
  • 2026-04-28 Advisory published and patch distributed

To remediate, you will need to upgrade your server to the latest version of your release:

  • For 0.76 releases, upgrade immediately to v0.76.4
  • For 0.75 releases, upgrade immediately to v0.75.9