Blog | Prabhav Srinath

CVE-2026-34979: Heap-based Buffer Overflow in CUPS Scheduler Leads to Denial of Service (DoS)

Vulnerability Research April 2026

An unauthenticated heap-based buffer overflow in cupsd allows for remote denial-of-service. This research explores the size calculation discrepancy in URI attribute handling.

Read Write-up →

CVE-2026-33871: Netty's Uncapped HTTP/2 CONTINUATION Frames Leads to Denial of Service (DoS)

Vulnerability Research March 2026

A critical oversight in Netty's HTTP/2 implementation allows for unbounded CONTINUATION frames, leading to CPU exhaustion and connection monopolization. This research explores how 0-byte fragments bypass existing byte-level constraints.

Read Write-up →

CVE-2026-27784: Integer Overflow in nginx ngx_http_mp4_module causes Out of Bounds Read/Write

Vulnerability Research March 2026

An integer overflow vulnerability in nginx's MP4 module allows for heap out-of-bounds reads and potential DoS. This post details how large entry counts bypass security checks on 32-bit platforms.

Read Write-up →

CVE-2026-29062: Nesting Depth Bypass in DataInput Parser Leads to Unsafe Deserialization in jackson-core

Vulnerability Research February 2026

UTF8DataInputJsonParser bypasses nesting depth limits, potentially causing StackOverflowErrors and DoS. This post details how direct parsing context creation skips critical depth validation.

Read Write-up →

Jackson-core: Number Length Constraint Bypass in Async Parsers Leads to Denial of Service (DoS)

Vulnerability Research January 26, 2026

The async JSON parser in jackson-core fails to enforce maxNumberLength constraints, leading to memory and CPU exhaustion. This research explores the missing validation step in the non-blocking code path.

Read Write-up →