CVE-2026-43506 Overview
CVE-2026-43506 is a denial of service vulnerability in Prosody, an open-source Extensible Messaging and Presence Protocol (XMPP) server. The flaw stems from memory leaks triggered by unauthenticated network connections. Attackers can exhaust server memory by repeatedly opening connections without authenticating, eventually causing the service to crash or become unresponsive. The vulnerability is classified under [CWE-401] (Missing Release of Memory after Effective Lifetime) and affects Prosody versions before 0.12.6 and versions 1.0.0 through 13.0.0 before 13.0.5.
Critical Impact
Unauthenticated remote attackers can cause denial of service by exhausting server memory through repeated connections, disrupting XMPP messaging services.
Affected Products
- Prosody versions before 0.12.6
- Prosody versions 1.0.0 through 13.0.0 (before 13.0.5)
- Deployments exposing XMPP listeners to untrusted networks
Discovery Timeline
- 2026-05-01 - CVE-2026-43506 published to NVD
- 2026-05-01 - Prosody Security Advisory 735dd9d3 published
- 2026-05-01 - Disclosure on the Openwall oss-security mailing list
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43506
Vulnerability Analysis
The vulnerability is a memory exhaustion denial of service in the Prosody XMPP server. Prosody fails to release memory associated with unauthenticated connections, allowing allocations to accumulate over the lifetime of the process. Each new unauthenticated connection adds to resident memory consumption without a corresponding deallocation when the connection terminates or stalls.
An attacker reachable over the network can open connections to the XMPP service repeatedly. Because authentication is not required to trigger the leak, the attack surface includes any network path that can reach the Prosody listener. Sustained connection activity drives memory utilization upward until the process is killed by the operating system or the host becomes unresponsive.
The issue is confined to availability impact. It does not expose confidential data and does not allow modification of state on the server. However, XMPP infrastructure used for messaging, presence, or federated communication can be taken offline by a single low-bandwidth attacker.
Root Cause
The root cause is a memory leak [CWE-401] in code paths that handle unauthenticated client or server connections. Resources allocated during the early connection lifecycle are not freed when the connection ends without successful authentication. Repeated triggering of this code path causes unbounded memory growth.
Attack Vector
Exploitation requires only network access to the Prosody service, with no privileges or user interaction. An attacker scripts repeated TCP connections to the XMPP c2s or s2s listener and either disconnects or leaves connections idle without authenticating. Each iteration leaks a small amount of memory; high-volume iteration drives the process toward exhaustion.
The vulnerability mechanism is described in the Prosody Security Advisory and the Openwall OSS Security Mailing List. No public proof-of-concept code has been released.
Detection Methods for CVE-2026-43506
Indicators of Compromise
- Sustained growth in resident memory of the prosody process without a corresponding increase in authenticated user sessions
- High volume of short-lived TCP connections to ports 5222 (c2s) or 5269 (s2s) from a small number of source addresses
- Repeated XMPP stream opens that never reach the <auth> or <starttls> completion state
- Out-of-memory kills of the prosody process recorded in dmesg or journalctl
Detection Strategies
- Monitor process memory metrics for the prosody daemon and alert on unbounded growth trends over rolling windows
- Correlate connection logs from Prosody with authentication success rates to surface anomalous unauthenticated connection ratios
- Inspect network telemetry for repeated connections from single sources to XMPP ports without successful TLS or SASL completion
Monitoring Recommendations
- Ingest Prosody logs and host memory metrics into a centralized logging or SIEM platform for trend analysis
- Configure alerts on Linux out-of-memory killer events targeting the prosody service
- Track connection rate per source IP at the network edge and flag sources exceeding normal client baselines
How to Mitigate CVE-2026-43506
Immediate Actions Required
- Upgrade Prosody to version 0.12.6 or 13.0.5 or later, as appropriate for your deployed branch
- Restrict network exposure of XMPP listener ports to known peers and federated servers where feasible
- Apply rate limiting and connection limits at the host firewall or reverse proxy in front of Prosody
Patch Information
The Prosody project has released fixed versions 0.12.6 and 13.0.5. Refer to the Prosody Security Advisory for the official remediation guidance and changelog. Package maintainers for major Linux distributions typically follow upstream releases; verify the installed package version matches or exceeds the fixed release.
Workarounds
- Place Prosody behind a TCP proxy that enforces per-source connection limits and idle timeouts
- Use firewall rules such as iptables connection limit modules to cap concurrent and new connections per source IP
- Schedule periodic restarts of the prosody service as a temporary measure to reclaim leaked memory until patching is complete
- Monitor process memory and configure systemd MemoryMax to bound the impact of leaks on the host
# Configuration example: limit incoming XMPP connections per source with iptables
iptables -A INPUT -p tcp --dport 5222 -m connlimit --connlimit-above 20 -j REJECT
iptables -A INPUT -p tcp --dport 5269 -m connlimit --connlimit-above 10 -j REJECT
# Bound prosody memory via systemd override
sudo systemctl edit prosody
# Add:
# [Service]
# MemoryMax=1G
# Restart=on-failure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
