SB2026062428 - Heap-based buffer overflow in rsyslog



SB2026062428 - Heap-based buffer overflow in rsyslog

Published: June 24, 2026

Security Bulletin ID SB2026062428
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Heap-based buffer overflow (CVE-ID: CVE-2026-55556)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow in parse_auth_header() in the imhttp module when processing a crafted HTTP Basic Authorization header. A remote attacker can send a single crafted HTTP request to cause a denial of service.

Only deployments where the optional imhttp module is installed, explicitly loaded, and configured with HTTP Basic Authentication for an endpoint are vulnerable.


Remediation

Install update from vendor's website.