CVE-2026-2575 Overview
A flaw was found in Keycloak that allows an unauthenticated remote attacker to trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.
Critical Impact
Unauthenticated attackers can crash Keycloak servers by exploiting unbounded DEFLATE decompression in SAML processing, causing service outages for authentication-dependent applications.
Affected Products
- Keycloak (specific vulnerable versions documented in Red Hat Security Advisories)
- Red Hat Single Sign-On (based on Keycloak)
- Deployments utilizing SAML Redirect Binding for authentication
Discovery Timeline
- 2026-03-18 - CVE-2026-2575 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-2575
Vulnerability Analysis
This vulnerability is classified under CWE-409 (Improper Handling of Highly Compressed Data), commonly known as a "decompression bomb" or "zip bomb" attack. The flaw exists in Keycloak's SAML authentication handling, specifically in the processing of SAMLRequest parameters received via the SAML HTTP Redirect Binding.
When processing SAML authentication requests, Keycloak must decompress the DEFLATE-compressed SAMLRequest data. The vulnerable implementation fails to enforce appropriate size limits during the decompression process. An attacker can craft a SAMLRequest that compresses to a small payload but expands to an extremely large size when decompressed, exhausting available heap memory.
The attack does not require authentication, making it particularly dangerous for internet-facing Keycloak deployments. A single malicious request can consume sufficient memory to trigger an OutOfMemoryError, causing the JVM to terminate and denying authentication services to all legitimate users.
Root Cause
The root cause is the absence of proper size validation during DEFLATE decompression of SAMLRequest payloads in the SAML Redirect Binding handler. Without enforcing maximum decompressed size limits, the application accepts arbitrarily large decompressed content, allowing attackers to exhaust heap memory through highly compressed payloads.
Attack Vector
The attack is executed over the network without requiring authentication or user interaction. An attacker sends a crafted HTTP GET request to the Keycloak SAML endpoint with a malicious SAMLRequest parameter. The parameter contains a highly compressed payload that, when processed by Keycloak's SAML handler, expands to consume excessive memory during DEFLATE decompression.
The attack flow proceeds as follows: the attacker constructs a payload with high compression ratio (e.g., repeated patterns that compress extremely well), DEFLATE-compresses it, Base64-encodes the result, and submits it as the SAMLRequest query parameter. When Keycloak processes this request, the decompression operation consumes memory proportional to the decompressed size rather than the compressed input size, leading to memory exhaustion.
Detection Methods for CVE-2026-2575
Indicators of Compromise
- Abnormal memory consumption spikes on Keycloak servers preceding crashes
- Repeated OutOfMemoryError exceptions in Keycloak application logs
- Unexpected Keycloak process terminations or restarts
- HTTP requests to SAML endpoints with unusually large SAMLRequest query parameters after Base64 decoding
Detection Strategies
- Monitor JVM heap utilization for sudden spikes correlating with SAML endpoint requests
- Implement log analysis rules to detect java.lang.OutOfMemoryError patterns in Keycloak logs
- Configure network-level inspection to flag SAML requests with atypical compression characteristics
- Deploy application performance monitoring (APM) to track memory allocation during SAML processing
Monitoring Recommendations
- Set up alerts for Keycloak service availability and automatic restart events
- Monitor authentication success rates for sudden drops indicating service disruption
- Track SAML endpoint request patterns for anomalous traffic from single sources
- Implement JVM memory monitoring with thresholds triggering investigation before OOM conditions
How to Mitigate CVE-2026-2575
Immediate Actions Required
- Apply security patches from Red Hat Security Advisory RHSA-2026:3947 or RHSA-2026:3948
- Review the Red Hat CVE Database entry for CVE-2026-2575 for vendor guidance
- Consider implementing rate limiting on SAML endpoints as a temporary protective measure
- Monitor Keycloak services for stability issues while planning patch deployment
Patch Information
Red Hat has released security advisories addressing this vulnerability. Organizations should consult RHSA-2026:3947 and RHSA-2026:3948 for specific patched versions and upgrade instructions. Additional details are available in Red Hat Bug Report #2440149.
Workarounds
- Implement a reverse proxy or web application firewall (WAF) rule to limit the size of SAMLRequest parameters
- Configure rate limiting on SAML authentication endpoints to reduce the impact of repeated attack attempts
- Consider temporarily disabling SAML Redirect Binding in favor of POST Binding if operationally feasible
- Deploy Keycloak behind load balancers with health checks to enable automatic failover during attack scenarios
# Example nginx rate limiting configuration for SAML endpoints
limit_req_zone $binary_remote_addr zone=saml_limit:10m rate=10r/s;
location /realms/*/protocol/saml {
limit_req zone=saml_limit burst=20 nodelay;
proxy_pass http://keycloak_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
