CVE-2026-8319 Overview
CVE-2026-8319 is a resource consumption vulnerability [CWE-400] in the aiwaves-cn agents project, an open-source framework for building autonomous language agents. The flaw resides in the recall_relevant_memories_to_working_memory function located in core/cat/looking_glass/stray_cat.py within the cheshire_cat_core component. Remote attackers can trigger excessive resource consumption without authentication or user interaction. A public exploit has been disclosed, increasing the risk of opportunistic abuse. The project follows a rolling release model, so no discrete fixed version is published, and the maintainers had not responded to the upstream issue report at the time of disclosure.
Critical Impact
Unauthenticated remote attackers can exhaust resources in deployed agents instances, degrading availability of the memory recall subsystem.
Affected Products
- aiwaves-cn agents up to commit e8c4e3c2d19739d3dff59e577d1c97090cc15f59
- cheshire_cat_core component
- core/cat/looking_glass/stray_cat.py module
Discovery Timeline
- 2026-05-11 - CVE-2026-8319 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-8319
Vulnerability Analysis
The vulnerability is a network-reachable resource exhaustion issue affecting the memory recall path of the agents framework. The recall_relevant_memories_to_working_memory function processes input that influences memory retrieval operations against the agent's working memory store. When triggered repeatedly or with crafted parameters, the function consumes excessive compute or memory resources, which can degrade service availability for legitimate agent interactions. The issue is classified under [CWE-400] Uncontrolled Resource Consumption.
Because the affected codebase follows a rolling release approach, operators tracking the upstream main branch cannot map exposure to a stable version number. They must instead compare deployed commit hashes against the disclosed commit e8c4e3c2d19739d3dff59e577d1c97090cc15f59.
Root Cause
The root cause is the absence of bounds, rate limits, or cost controls in recall_relevant_memories_to_working_memory. The function performs memory recall work proportional to attacker-controlled input without enforcing upper limits on iteration count, query size, or result set magnitude. Repeated invocation amplifies the cost on the server.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker reaches the exposed cheshire_cat_core interface and submits requests that route into the recall path. Sustained or crafted requests inflate CPU and memory utilization until the service degrades or becomes unresponsive. A public proof of concept has been referenced through the GitHub Issue #219 Discussion and the VulDB Vulnerability #362606 entry.
No verified exploit code is reproduced here. Technical details are tracked in the GitHub Repository for Agents and the VulDB CTI for #362606.
Detection Methods for CVE-2026-8319
Indicators of Compromise
- Sustained high CPU or memory utilization on hosts running cheshire_cat_core without a corresponding rise in legitimate user sessions.
- Repeated inbound requests targeting endpoints that trigger recall_relevant_memories_to_working_memory from a small number of source addresses.
- Application logs showing prolonged execution times for memory recall operations or queue backlogs in agent worker pools.
Detection Strategies
- Instrument the agents runtime to emit per-request timing and memory accounting for calls into stray_cat.py memory functions.
- Alert on anomalous request rates against agent chat or memory endpoints exceeding a baseline derived from normal usage windows.
- Correlate process-level resource spikes with inbound request patterns to distinguish abuse from organic load.
Monitoring Recommendations
- Track availability and latency metrics for the cheshire_cat_core service and trigger alerts on sustained degradation.
- Capture network flow telemetry for the exposed agent interface to identify low-and-slow exhaustion patterns.
- Review application logs daily for repeated invocations of the recall function from the same client identity or IP range.
How to Mitigate CVE-2026-8319
Immediate Actions Required
- Restrict network exposure of cheshire_cat_core to trusted clients using firewall rules, VPN, or reverse proxy access controls.
- Apply request rate limiting and per-client concurrency caps in front of the agent interface.
- Pin deployments to a known-good commit and avoid auto-pulling main until upstream addresses the issue.
Patch Information
The project follows a rolling release model and had not responded to the upstream report at the time of disclosure. No fixed commit is currently identified. Monitor the GitHub Repository for Agents and the GitHub Issue #219 Discussion for remediation updates. Reference the VulDB Submission #811274 for tracking metadata.
Workarounds
- Place the agent behind an authenticating reverse proxy to block unauthenticated access to memory recall endpoints.
- Enforce request size limits and timeouts at the proxy layer to cap the cost of any single recall operation.
- Run the service under cgroup or container resource limits so that exhaustion in one instance does not affect the host or co-located workloads.
- Disable or gate the memory recall feature in deployments where it is not required.
# Example nginx rate limit and size cap in front of cheshire_cat_core
limit_req_zone $binary_remote_addr zone=agents_rl:10m rate=5r/s;
server {
listen 443 ssl;
server_name agents.example.com;
client_max_body_size 64k;
client_body_timeout 5s;
location / {
limit_req zone=agents_rl burst=10 nodelay;
proxy_read_timeout 10s;
proxy_pass http://127.0.0.1:1865;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
