Kubernetes
Multiple Products
Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf...
2026-04-18
Description
Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a `StackOverflowException` on payloads as small as 40 KB. Because `StackOverflowException` is uncatchable in .NET (since .NET 2.0), the entire worker process is terminated immediately. All in-flight HTTP requests, background `IHostedService` tasks, and open WebSocket subscriptions on that worker are dropped. The orchestrator (Kubernetes, IIS, etc.) must restart the process. This occurs before any validation rules run — `MaxExecutionDepth`, complexity analyzers, persisted query allow-lists, and custom `IDocumentValidatorRule` implementations cannot intercept the crash because `Utf8GraphQLParser.Parse` is invoked before validation. The `MaxAllowedFields=2048` limit does not help because the crashing payloads contain very few fields. The fix in versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14 adds a `MaxAllowedRecursionDepth` option to `ParserOptions` with a safe default, and enforces it across all recursive parser methods (`ParseSelectionSet`, `ParseValueLiteral`, `ParseObject`, `ParseList`, `ParseTypeReference`, etc.). When the limit is exceeded, a catchable `SyntaxException` is thrown instead of overflowing the stack. There is no application-level workaround. `StackOverflowException` cannot be caught in .NET. The only mitigation is to upgrade to a patched version. Operators can reduce (but not eliminate) risk by limiting HTTP request body size at the reverse proxy or load balancer layer, though the smallest crashing payload (40 KB) is well below most default body size limits and is highly compressible (~few hundred bytes via gzip).
AI Analyst Comment
Remediation
Update Kubernetes Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: Red Hat
PRODUCT: Red Hat Advanced Cluster Security (RHACS)
AFFECTED_VERSIONS: Red Hat Advanced Cluster Security 4 and earlier versions in any minor update stream
CONFIDENCE: high
MISSING: none
---END_METADATA---
Description Summary:
A flaw in Red Hat Advanced Cluster Security (RHACS) allows an authenticated user to perform uncontrolled resource consumption via the GraphQL API, potentially causing a denial-of-service.
Executive Summary:
An authenticated denial-of-service vulnerability in Red Hat Advanced Cluster Security (RHACS) could allow malicious actors to disrupt the management plane by submitting deeply nested GraphQL queries.
Vulnerability Details
CVE-ID: CVE-2026-9165
Affected Software: Red Hat Advanced Cluster Security (RHACS)
Affected Versions: Red Hat Advanced Cluster Security 4 and earlier versions in any minor update stream
Vulnerability: This vulnerability involves uncontrolled resource consumption (CWE-400) within the Central component's authenticated GraphQL API. An attacker with a valid API token can submit specifically crafted, deeply nested queries that exhaust system resources, leading to a denial-of-service for the management plane.
Business Impact
The CVSS score of 7.7 (High) reflects the potential for significant operational disruption. Because RHACS is central to security and policy enforcement for Kubernetes environments, a successful denial-of-service attack could leave critical infrastructure unmonitored or unable to enforce security policies, increasing the risk of secondary exploitation or compliance failures.
Remediation Plan
Immediate Action: Review the official Red Hat security advisory and apply the necessary patches or configuration updates provided by the vendor to restrict unauthorized or excessive API usage.
Proactive Monitoring: Monitor API usage patterns and system resource metrics, such as CPU and memory utilization on the RHACS Central component, to identify anomalous query behavior.
Compensating Controls: Implement strict API rate limiting and token management policies to ensure that only authorized, low-privilege service accounts can interact with the management plane.
Exploitation Status
Public Exploit Available: False
Analyst Notes: As of July 7, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Given the critical nature of cluster security management, administrators must treat this as a priority update. Ensure all API tokens are audited for least privilege and apply the vendor-supplied patches immediately to prevent potential service degradation.