CVE-2026-45078
EPSS 0.01%Synapse CPU starvation (Denial of Service)
發布日:2026/5/14修改日:2026/6/3
描述
### Impact Local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. Homeservers that trust all their local users are not at risk. ### Patches Update to Synapse 1.152.1 or later. ### Workarounds If Synapse is deployed behind a reverse proxy, the reverse proxy could be configured to limit the rate of user requests, preventing or increasing the difficulty of the attack. ### Identifiers - ELEMENTSEC-2026-1706 ### For more information If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:[email protected]).
受影響套件(2)
- Debian/matrix-synapsefrom 0, < 1.152.1-1
- PyPI/matrix-synapsefrom 0, < 1.152.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
參考連結(5)
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-45078
- PATCHhttps://github.com/element-hq/synapse
- WEBhttps://github.com/element-hq/synapse/commit/3f58bc50dfba5768ee43ce48c5e74c25ba0b078a
- WEBhttps://github.com/element-hq/synapse/issues/19394
- WEBhttps://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g