CVE-2026-41284 Overview
CVE-2026-41284 is a resource exhaustion vulnerability in Apache Tomcat tracked under [CWE-770] (Allocation of Resources Without Limits or Throttling). The flaw affects Apache Tomcat versions 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, and 9.0.0.M1 through 9.0.117. Older, unsupported releases may also be affected. Remote unauthenticated attackers can send specially crafted requests over the network to exhaust server resources, causing a denial-of-service condition. The vulnerability impacts availability but does not compromise confidentiality or integrity. The Apache Software Foundation disclosed the issue on the project mailing list and a coordinated advisory was published through OpenWall OSS-Security.
Critical Impact
Remote, unauthenticated attackers can trigger resource exhaustion in Apache Tomcat servers, leading to a denial-of-service condition that disrupts availability of hosted web applications.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.21
- Apache Tomcat 10.1.0-M1 through 10.1.54
- Apache Tomcat 9.0.0.M1 through 9.0.117
Discovery Timeline
- 2026-05-12 - CVE-2026-41284 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-41284
Vulnerability Analysis
The vulnerability resides in how Apache Tomcat allocates internal resources when processing incoming network traffic. Because the affected code paths lack limits or throttling controls, an attacker can repeatedly request operations that consume memory, threads, or connection slots without bound. Sustained abuse drives the server toward exhaustion, blocking legitimate requests and ultimately rendering the service unresponsive.
The attack does not require authentication or user interaction, and complexity is low. As a result, the issue is exploitable by any client that can reach the Tomcat listener. The impact is limited to availability — there is no disclosure of data and no modification of server state beyond service degradation.
The EPSS probability is 0.135% (percentile 32.871) as of 2026-05-17, and no public exploit or in-the-wild activity has been documented at the time of publication.
Root Cause
The root cause is classified under [CWE-770]: Apache Tomcat allocates a resource for an actor without imposing a limit on the quantity that can be allocated. This permits an attacker to consume sufficient resources to deny service to other clients.
Attack Vector
The attack vector is the network. An unauthenticated remote attacker sends crafted requests to an exposed Tomcat endpoint. Because resource allocation is not throttled, repeated requests progressively consume server capacity until the application can no longer process legitimate traffic.
No verified public proof-of-concept code is available. Refer to the Apache Tomcat mailing list advisory and the OpenWall OSS-Security disclosure for vendor-provided technical context.
Detection Methods for CVE-2026-41284
Indicators of Compromise
- Sudden, sustained spikes in active threads, open connections, or heap usage in the Tomcat JVM with no corresponding business event.
- Rising HTTP 503 or connection-refused responses from Tomcat instances under otherwise normal traffic baselines.
- High volumes of repetitive or malformed requests originating from a small set of source IPs targeting the Tomcat connector port.
Detection Strategies
- Inspect Tomcat access logs (access_log.*) and catalina.out for repeated identical request patterns and OutOfMemoryError or thread-pool exhaustion messages.
- Correlate web application firewall (WAF) and reverse-proxy telemetry to identify clients generating disproportionate request rates against Tomcat-backed endpoints.
- Enable JMX or Micrometer metrics for the Tomcat connector to alert on currentThreadCount, connectionCount, and request-processing time deviations.
Monitoring Recommendations
- Baseline normal request rates per client and alert on deviations consistent with floods or slow-resource attacks.
- Track JVM heap, thread, and file-descriptor utilization continuously and trigger paging alerts on sustained saturation.
- Forward Tomcat and reverse-proxy logs to a centralized SIEM for cross-source correlation and retention.
How to Mitigate CVE-2026-41284
Immediate Actions Required
- Inventory all Apache Tomcat deployments and identify instances running 9.0.x, 10.1.x, or 11.0.x within the affected version ranges.
- Upgrade to the fixed Apache Tomcat release listed in the Apache Tomcat mailing list advisory as soon as it is validated in staging.
- Restrict network exposure of Tomcat connectors so only trusted reverse proxies or load balancers can reach them directly.
Patch Information
The Apache Tomcat project has released fixed versions that introduce limits on the affected resource allocation path. Administrators should consult the Apache Tomcat mailing list advisory and the OpenWall OSS-Security update for the exact fixed version numbers for the 9.0, 10.1, and 11.0 branches, then upgrade following standard Tomcat upgrade procedures.
Workarounds
- Place Tomcat behind a reverse proxy or WAF that enforces per-client request rate limits and connection caps.
- Tune Tomcat connector attributes such as maxConnections, maxThreads, acceptCount, and connectionTimeout in server.xml to bound resource consumption.
- Drop or rate-limit anomalous source IPs at the network edge until patched binaries are deployed.
# Example: constrain the HTTP connector in conf/server.xml
# <Connector port="8080" protocol="HTTP/1.1"
# maxConnections="2000"
# maxThreads="200"
# acceptCount="100"
# connectionTimeout="20000"
# keepAliveTimeout="15000"
# maxKeepAliveRequests="100" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
