LiveActive security incident?Get immediate response
CVE Record

CVE-2026-44579: Next.js: Denial of Service via connection exhaustion in applications using Cache Components

Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.

HighCVSS 7.5Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

Attackers can send specially crafted POST requests to Next.js applications that use the Cache Components feature and cause the server to hang connections until legitimate users can no longer reach the site. The fault is availability-only, but a small volume of traffic can effectively knock a customer-facing web app offline until the runtime is patched or restarted.

Executive priority

Patch within the standard high-severity SLA. This is an availability issue, not data exposure, but a single low-effort attacker can degrade customer-facing Next.js sites. Prioritize public, revenue-generating, or SLA-bound applications first; internal or authenticated apps can follow the normal cycle.

Technical view

Next.js versions 15.0.0 to 15.5.15 and 16.0.0 to 16.2.4 mishandle request bodies for server actions when Partial Prerendering with Cache Components is enabled, producing a deadlock (CWE-833) that leaves sockets open and exhausts file descriptors and worker capacity (CWE-770). CVSS 3.1 is 7.5 (AV:N/AC:L/PR:N/UI:N/A:H). Fixed in 15.5.16 and 16.2.5 per the vendor advisory GHSA-mg66-mrh9-m8jx.

Likely exposure

Exposure is limited to Next.js apps on 15.0.0–15.5.15 or 16.0.0–16.2.4 that enable Partial Prerendering via Cache Components and accept unauthenticated POSTs to a server action. Static-only deployments, older Next.js releases without Cache Components, and apps that gate server actions behind auth or WAF rules see less risk.

Exploitation context

No public exploit code, in-the-wild activity, or CISA KEV listing is cited in the bundle. The advisory describes crafted POST requests to a server action; attack complexity is low and no authentication is required per the CVSS vector. Treat as network-reachable denial of service pending vendor or Red Hat updates.

Researcher notes

Root cause per the advisory is a request-body handling deadlock in server action processing when Cache Components is active, mapping to CWE-833 (deadlock) and CWE-770 (unbounded resource allocation). Reproduction requires PPR/Cache Components enabled and a server action reachable via POST. Watch for downstream Node.js base image rebuilds and OpenShift/Red Hat container updates tied to RHSA-2026:37272 and RHSA-2026:34608.

Mitigation direction

  • Upgrade Next.js to 15.5.16 or 16.2.5 (or later) per GHSA-mg66-mrh9-m8jx.
  • Apply Red Hat errata RHSA-2026:37272 and RHSA-2026:34608 on affected Red Hat platforms.
  • If patching is delayed, disable Cache Components / Partial Prerendering on exposed routes.
  • Front server actions with a WAF or rate-limit rule on unauthenticated POST endpoints.
  • Tune reverse-proxy connection, body, and idle timeouts to shed stuck sockets.
  • Monitor file descriptor and worker saturation and configure automated restarts on threshold breach.

Validation and detection

  • Inventory Next.js versions across repos, containers, and Vercel/Node deployments.
  • Flag apps on 15.0.0–15.5.15 or 16.0.0–16.2.4 that enable Cache Components or PPR.
  • Confirm patched builds report 15.5.16 or 16.2.5 in runtime and CI artifacts.
  • Load-test server actions in staging to confirm connections release under sustained POSTs.
  • Review WAF, CDN, and proxy logs for anomalous long-lived POSTs to server-action routes.
  • Track vendor advisory GHSA-mg66-mrh9-m8jx and Red Hat CSAF VEX for status changes.
Prepared
Confidence
high
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-770: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-833: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-44579 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
2ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.5CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H3.93.6GitHub_M
7.5CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H3.93.6redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

7.5High
CVSS 3.1 vector shape for CVE-2026-44579Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Made public.

  3. CVE publishedCVE Program

    The CVE record was published.

  4. ADP timelineredhat-SADP

    Reported to Red Hat.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
redhat-SADPnext.js: Next.js: Denial of Service via crafted POST requests to server actions
other:Red Hat severity ratingcvssV3_1
  • 2026-05-13T18:01:32.406Z: Reported to Red Hat.
  • 2026-05-13T17:04:28.388Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
vercelnext.js>= 16.0.0, < 16.2.5, >= 15.0.0, < 15.5.16Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-770 · source CWE mapping

Allocation of Resources Without Limits or Throttling

Allocation of Resources Without Limits or Throttling represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-833 · source CWE mapping

Deadlock

Deadlock represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.