SB2026051262 - Multiple vulnerabilities in Synapse

Description

This security bulletin contains information about 2 vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2026-45078)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in request processing when handling authenticated user requests. A local user can send requests that starve other requests of CPU to cause a denial of service.

Homeservers that trust all their local users are not at risk.

2) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-45076)

CWE-ID: CWE-754 - Improper Check for Unusual or Exceptional Conditions

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper handling of crafted room events in pagination in federated room history pagination when processing room events from federated homeservers. A remote user can send specially crafted room events to cause a denial of service.

The issue can prevent paginating clients from receiving full room history and may cause clients to fail to display room history.

Remediation

Install update from vendor's website.

References

• https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g
• https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v