CVE-2026-6948 PUBLISHED

Unbounded Memory Allocation in VQLResponse Result-Set Writer

Assigner: rapid7
Reserved: 24.04.2026 Published: 03.05.2026 Updated: 04.05.2026

Velociraptor versions prior to 0.76.4 contain a resource exhaustion vulnerability in the server's agent control channel.

This allows a compromised or rogue Velociraptor client to crash the server via out-of-memory (OOM) by sending crafted messages through the normal client communication channel.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 4.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Rapid7
Product	Velociraptor
Versions	Default: unaffected affected from 0 to 0.76.4 (excl.) affected from 0 to 0.75.9 (excl.)

Solutions

To remediate, you will need to upgrade your server https://www.velociraptor-docs.org/docs/deployment/server/upgrades/#upgrading-a-server-in-place-upgrade to the latest version of your release:

For 0.76 releases, upgrade immediately to v0.76.4 https://github.com/Velocidex/velociraptor/releases/download/v0.76/velociraptor-v0.76.4-linux-amd64
For 0.75 releases, upgrade immediately to v0.75.9 https://github.com/Velocidex/velociraptor/releases/download/v0.75/velociraptor-v0.75.9-linux-amd64

Credits

We thank Faisal Alhumaid (Faisal.alhumaid@hotmail.com) for reporting this issue responsibly. finder
We also thank Mika Jarvinen (mika.jarvinen@kapsi.fi) for reporting this issue responsibly at the same time. finder

References

https://docs.velociraptor.app/announcements/advisories/cve-2026-6948/

Problem Types

CWE-770 Allocation of resources without limits or throttling CWE

Impacts

CAPEC-130 Excessive Allocation