CVE-2026-44579
published 2026-05-13CVE-2026-44579: Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.51%
39.5th percentile
Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | — | — |
| mozilla | thunderbird | — | — |
| next | next | — | — |
| next | next | >= 15.0.0 < 15.5.16 | 15.5.16 |
| next | next | >= 16.0.0 < 16.2.5 | 16.2.5 |
| rhelai3 | bootc-cuda-rhel9 | — | — |
| rhelai3 | bootc-gaudi-rhel9 | — | — |
| rhelai3 | bootc-rocm-rhel9 | — | — |
| rhelai3 | disk-image-cuda-rhel9 | — | — |
| rhtas | rekor-search-ui-rhel9 | — | — |
| vercel | next.js | — | — |
| vercel | next.js | — | — |
| vercel | next.js | >= 15.0.0 < 15.5.16 | 15.5.16 |
| vercel | next.js | >= 16.0.0 < 16.2.5 | 16.2.5 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
vercel next.js up to 15.5.15/16.2.4 Cache Components Feature allocation of resources (GHSA-mg66-mrh9-m8jx)
vuldb·2026-05-13·CVSS 7.5
CVE-2026-44579 [HIGH] vercel next.js up to 15.5.15/16.2.4 Cache Components Feature allocation of resources (GHSA-mg66-mrh9-m8jx)
A vulnerability classified as problematic has been found in vercel next.js up to 15.5.15/16.2.4. The affected element is an unknown function of the component Cache Components Feature. The manipulation leads to allocation of resources.
This vulnerability is uniquely identified as CVE-2026-44579. The attack is possible to be carried out remotely. No exploit exists.
It is recommended to upgrade the affected component.
GHSA
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
ghsa·2026-05-11
CVE-2026-44579 [HIGH] CWE-770 Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
### Impact
Applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service.
### Fix
We now treat the header used for resuming Partial Prerendered requests as an internal-only header and strip it from untrusted incoming requests. This header should never be accepted directly from external clients.
### Workarounds
If you cannot upgrade immediately,
Red Hat
next.js: Next.js: Denial of Service via crafted POST requests to server actions
vendor_redhat·2026-05-13·CVSS 7.5
CVE-2026-44579 [HIGH] CWE-833 next.js: Next.js: Denial of Service via crafted POST requests to server actions
next.js: Next.js: Denial of Service via crafted POST requests to server actions
A flaw was found in Next.js. Applications utilizing Partial Prerendering via the Cache Components feature are susceptible to connection exhaustion. A remote attacker can send crafted POST requests to a server action, triggering a request-body handling deadlock. This leaves connections open, consuming server resources and ultimately leading to a Denial of Service (DoS) for legitimate users.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: firefox (Red Hat Enterprise Linux 10) - Affected
Package: thunderbir
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44579 conky: Next.js: Denial of Service via crafted POST requests to server actions [epel-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44579 [HIGH] CVE-2026-44579 conky: Next.js: Denial of Service via crafted POST requests to server actions [epel-all]
CVE-2026-44579 conky: Next.js: Denial of Service via crafted POST requests to server actions [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44579 mozjs128: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44579 [HIGH] CVE-2026-44579 mozjs128: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
CVE-2026-44579 mozjs128: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44579 thunderbird: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44579 [HIGH] CVE-2026-44579 thunderbird: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
CVE-2026-44579 thunderbird: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44579 icecat: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44579 [HIGH] CVE-2026-44579 icecat: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
CVE-2026-44579 icecat: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44579 conky: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44579 [HIGH] CVE-2026-44579 conky: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
CVE-2026-44579 conky: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44579 mozjs140: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44579 [HIGH] CVE-2026-44579 mozjs140: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
CVE-2026-44579 mozjs140: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44579 firefox: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
bugzilla·2026-06-02·CVSS 7.5
CVE-2026-44579 [HIGH] CVE-2026-44579 firefox: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
CVE-2026-44579 firefox: Next.js: Denial of Service via crafted POST requests to server actions [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44579 next.js: Next.js: Denial of Service via crafted POST requests to server actions
bugzilla·2026-05-13·CVSS 7.5
CVE-2026-44579 [HIGH] CVE-2026-44579 next.js: Next.js: Denial of Service via crafted POST requests to server actions
CVE-2026-44579 next.js: Next.js: Denial of Service via crafted POST requests to server actions
Next.js is a React framework for building full-stack web applications. From to before 15.5.16 and 16.2.5, applications using Partial Prerendering through the Cache Components feature can be vulnerable to connection exhaustion through crafted POST requests to a server action. In affected configurations, a malicious request can trigger a request-body handling deadlock that leaves connections open for an extended period, consuming file descriptors and server capacity until legitimate users are denied service. This vulnerability is fixed in 15.5.16 and 16.2.5.
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
2026-05-13
Published