CVE-2026-2575

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2026:3947
https://access.redhat.com/errata/RHSA-2026:3948
https://access.redhat.com/security/cve/CVE-2026-2575
https://bugzilla.redhat.com/show_bug.cgi?id=2440149

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-18 04:17

Updated : 2026-03-18 14:52

NVD link : CVE-2026-2575

Mitre link : CVE-2026-2575

CVE.ORG link : CVE-2026-2575

JSON object : View

Products Affected

No product.

CWE

CWE-409

Improper Handling of Highly Compressed Data (Data Amplification)

5.3 /10