CVE-2026-3260

Publication date 24 March 2026

Last updated 9 July 2026


Ubuntu priority

Cvss 3 Severity Score

5.9 · Medium

Score breakdown

Description

Rejected reason: The Undertow web server enforces a default maximum HTTP request entity size limit. Any request (including GET or HEAD) containing a body that exceeds this configurable limit is safely dropped by the server, preventing single-request Resource Exhaustion (Out of Memory) Denial of Service attacks.

Status

Package Ubuntu Release Status
undertow 26.04 LTS resolute
Not affected
25.10 questing
Not affected
24.04 LTS noble
Not affected
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial Ignored end of ESM support, was not-affected (rejected CVE)

Severity score breakdown

CVSS version: CVSS v3.0

Base score 5.9 · Medium

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H


Access our resources on patching vulnerabilities