CVE-2026-44577
published 2026-05-13CVE-2026-44577: Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default…
PriorityP433medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
0.66%
46.8th percentile
Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed). This vulnerability is fixed in 15.5.16 and 16.2.5.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | — | — |
| mozilla | thunderbird | — | — |
| next | next | — | — |
| next | next | >= 10.0.0 < 15.5.16 | 15.5.16 |
| next | next | >= 16.0.0 < 16.2.5 | 16.2.5 |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhtas | rekor-search-ui-rhel9 | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | >= 10.0.0 < 15.5.16 | 15.5.16 |
| vercel | next.js | >= 16.0.0 < 16.2.5 | 16.2.5 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Next.js: Next.js: Denial of Service via Image Optimization API
vendor_redhat·2026-05-13·CVSS 5.9
CVE-2026-44577 [MEDIUM] CWE-770 Next.js: Next.js: Denial of Service via Image Optimization API
Next.js: Next.js: Denial of Service via Image Optimization API
A flaw was found in Next.js. When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. A remote attacker could exploit this by requesting large local assets from the /_next/image endpoint. This can lead to out-of-memory conditions, resulting in a Denial of Service (DoS) for the application.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: firefox (Red Hat Enterprise Linux 10) - Affected
Package: thunderbird (Red Hat
VulDB
vercel next.js up to 15.5.15/16.2.4 Image Optimization API /_next/image allocation of resources
vuldb·2026-05-13·CVSS 5.9
CVE-2026-44577 [MEDIUM] vercel next.js up to 15.5.15/16.2.4 Image Optimization API /_next/image allocation of resources
A vulnerability has been found in vercel next.js up to 15.5.15/16.2.4 and classified as problematic. This issue affects some unknown processing of the file /_next/image of the component Image Optimization API. The manipulation leads to allocation of resources.
This vulnerability is listed as CVE-2026-44577. The attack may be initiated remotely. There is no available exploit.
The affected component should be upgraded.
GHSA
Next.js has a Denial of Service in the Image Optimization API
ghsa·2026-05-11
CVE-2026-44577 [MEDIUM] CWE-770 Next.js has a Denial of Service in the Image Optimization API
Next.js has a Denial of Service in the Image Optimization API
### Impact
When self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the `/_next/image` endpoint that match the `images.localPatterns` configuration (by default, all patterns are allowed).
- If you are using `images.localPatterns`, only the patterns in that array are impacted.
- If you are using `images.unoptimized: true`, you are NOT impacted.
- If you are using `images.loader: 'custom'`, you are NOT impacted.
- If you are using Vercel, you are NOT impacted.
### Fix
We now apply response size limits consistently to internal image f
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44577 thunderbird: Next.js: Denial of Service via Image Optimization API [fedora-all]
bugzilla·2026-06-02·CVSS 5.9
CVE-2026-44577 [MEDIUM] CVE-2026-44577 thunderbird: Next.js: Denial of Service via Image Optimization API [fedora-all]
CVE-2026-44577 thunderbird: Next.js: Denial of Service via Image Optimization API [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44577 conky: Next.js: Denial of Service via Image Optimization API [epel-all]
bugzilla·2026-06-02·CVSS 5.9
CVE-2026-44577 [MEDIUM] CVE-2026-44577 conky: Next.js: Denial of Service via Image Optimization API [epel-all]
CVE-2026-44577 conky: Next.js: Denial of Service via Image Optimization API [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44577 mozjs128: Next.js: Denial of Service via Image Optimization API [fedora-all]
bugzilla·2026-06-02·CVSS 5.9
CVE-2026-44577 [MEDIUM] CVE-2026-44577 mozjs128: Next.js: Denial of Service via Image Optimization API [fedora-all]
CVE-2026-44577 mozjs128: Next.js: Denial of Service via Image Optimization API [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44577 icecat: Next.js: Denial of Service via Image Optimization API [fedora-all]
bugzilla·2026-06-02·CVSS 5.9
CVE-2026-44577 [MEDIUM] CVE-2026-44577 icecat: Next.js: Denial of Service via Image Optimization API [fedora-all]
CVE-2026-44577 icecat: Next.js: Denial of Service via Image Optimization API [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44577 conky: Next.js: Denial of Service via Image Optimization API [fedora-all]
bugzilla·2026-06-02·CVSS 5.9
CVE-2026-44577 [MEDIUM] CVE-2026-44577 conky: Next.js: Denial of Service via Image Optimization API [fedora-all]
CVE-2026-44577 conky: Next.js: Denial of Service via Image Optimization API [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44577 firefox: Next.js: Denial of Service via Image Optimization API [fedora-all]
bugzilla·2026-06-02·CVSS 5.9
CVE-2026-44577 [MEDIUM] CVE-2026-44577 firefox: Next.js: Denial of Service via Image Optimization API [fedora-all]
CVE-2026-44577 firefox: Next.js: Denial of Service via Image Optimization API [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44577 mozjs140: Next.js: Denial of Service via Image Optimization API [fedora-all]
bugzilla·2026-06-02·CVSS 5.9
CVE-2026-44577 [MEDIUM] CVE-2026-44577 mozjs140: Next.js: Denial of Service via Image Optimization API [fedora-all]
CVE-2026-44577 mozjs140: Next.js: Denial of Service via Image Optimization API [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44577 Next.js: Next.js: Denial of Service via Image Optimization API
bugzilla·2026-05-13·CVSS 5.9
CVE-2026-44577 [MEDIUM] CVE-2026-44577 Next.js: Next.js: Denial of Service via Image Optimization API
CVE-2026-44577 Next.js: Next.js: Denial of Service via Image Optimization API
Next.js is a React framework for building full-stack web applications. From 10.0.0 to before 15.5.16 and 16.2.5, when self-hosting Next.js with the default image loader, the Image Optimization API fetches local images entirely into memory without enforcing a maximum size limit. An attacker could cause out-of-memory conditions by requesting large local assets from the /_next/image endpoint that match the images.localPatterns configuration (by default, all patterns are allowed). This vulnerability is fixed in 15.5.16 and 16.2.5.
2026-05-13
Published