CVE-2026-7572 Overview
CVE-2026-7572 is an off-by-one error [CWE-193] in the ConsumeUnit16Array and ConsumeUnit64Array functions of Velocidex Velociraptor before version 0.76.5. A local attacker can trigger a Denial of Service (DoS) by supplying a specially crafted .evtx file to the parse_evtx VQL plugin. Successful exploitation crashes the Velociraptor process on Windows and Linux hosts. The flaw requires user interaction, as a victim must invoke the plugin against the malicious file. Velocidex addressed the issue in Velociraptor 0.76.5.
Critical Impact
A malformed Windows event log file processed by parse_evtx crashes the Velociraptor agent or server, disrupting digital forensics and incident response (DFIR) collection workflows.
Affected Products
- Velocidex Velociraptor on Windows (versions before 0.76.5)
- Velocidex Velociraptor on Linux (versions before 0.76.5)
- Any deployment invoking the parse_evtx VQL plugin on untrusted .evtx input
Discovery Timeline
- 2026-05-06 - CVE-2026-7572 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-7572
Vulnerability Analysis
Velociraptor is an open-source DFIR platform that parses Windows event log (.evtx) files through its parse_evtx VQL plugin. The plugin relies on helper routines ConsumeUnit16Array and ConsumeUnit64Array to read fixed-width integer arrays from binary event log records. Both routines contain an off-by-one boundary calculation that miscomputes the number of elements consumed relative to the available buffer length.
When a crafted .evtx file declares array sizes that align with the off-by-one condition, the parser reads beyond the allocated slice. The Go runtime detects the out-of-bounds access and panics, terminating the process. The result is a reliable crash of any Velociraptor component that ingests the file.
Root Cause
The defect is a classic [CWE-193] off-by-one error. The length checks in ConsumeUnit16Array and ConsumeUnit64Array do not correctly account for the final element in the parsed array. The functions therefore advance one element past the valid buffer boundary, producing an out-of-bounds slice access during deserialization of attacker-controlled .evtx content.
Attack Vector
Exploitation is local and requires user interaction. An attacker plants a malicious .evtx file on a target host or supplies it to an analyst who runs a hunt or artifact that calls parse_evtx. When the plugin parses the file, the Velociraptor process crashes. The vulnerability does not provide code execution or data disclosure; the impact is limited to availability of the Velociraptor agent or server collecting the artifact.
No verified public proof-of-concept code is available. Refer to the Velociraptor Security Advisory for technical details.
Detection Methods for CVE-2026-7572
Indicators of Compromise
- Unexpected termination or panic logs from the Velociraptor agent or server process shortly after running an artifact that invokes parse_evtx.
- Presence of unusually small, malformed, or attacker-staged .evtx files in non-standard directories on endpoints.
- Repeated agent reconnects or hunt failures correlated with collection of Windows event log artifacts.
Detection Strategies
- Monitor Velociraptor server and client logs for Go runtime panic stack traces referencing ConsumeUnit16Array or ConsumeUnit64Array.
- Hunt across endpoints for .evtx files outside of %SystemRoot%\System32\winevt\Logs\ and /var/log/ paths that are referenced by recent VQL queries.
- Compare deployed Velociraptor binary versions against 0.76.5 to identify hosts still vulnerable.
Monitoring Recommendations
- Alert on abnormal exit codes or service restarts of the Velociraptor process across the fleet.
- Track artifact execution telemetry for parse_evtx invocations against operator-supplied or non-standard file paths.
- Review file integrity monitoring for newly created .evtx files in user-writable directories on production endpoints.
How to Mitigate CVE-2026-7572
Immediate Actions Required
- Upgrade all Velociraptor server and client deployments to version 0.76.5 or later.
- Restrict execution of artifacts that call parse_evtx to trusted operators until patching is complete.
- Validate the source of any .evtx file before parsing it through Velociraptor, especially files staged by users or pulled from untrusted endpoints.
Patch Information
Velocidex released a fix in Velociraptor 0.76.5 that corrects the boundary calculation in ConsumeUnit16Array and ConsumeUnit64Array. Refer to the Velociraptor Security Advisory for release notes and download links.
Workarounds
- Disable or restrict artifacts and hunts that invoke the parse_evtx VQL plugin until the upgrade is applied.
- Limit which operators can author or run ad-hoc VQL that parses event log files supplied from untrusted hosts.
- Sandbox event log parsing by collecting .evtx files first and processing them on isolated, patched analysis systems.
# Verify the installed Velociraptor version on Linux or Windows
velociraptor version
# Expected output should report 0.76.5 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
