CVE-2026-6948

Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel. This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.

medium 4.9 CVSS 3.1

Published: May 4, 2026

Modified: May 4, 2026

Description

Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel.

This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.

References

https://docs.velociraptor.app/announcements/advisories/cve-2026-6948/

Version	3.1
Score	4.9 / 10
Severity	medium