{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30873", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-06T00:04:56.698Z", "datePublished": "2026-03-19T22:01:03.867Z", "dateUpdated": "2026-03-19T22:01:03.867Z"}, "containers": {"cna": {"title": "OpenWrt Project jsonpath: Memory leak when processing strings, labels, and regexp tokens", "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "lang": "en", "description": "CWE-401: Missing Release of Memory after Effective Lifetime", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m"}, {"name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"}, {"name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"}], "affected": [{"vendor": "openwrt", "product": "openwrt", "versions": [{"version": ">= 25.12.0-rc1, < 25.12.1", "status": "affected"}, {"version": "< 24.10.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:01:03.867Z"}, "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1."}], "source": {"advisory": "GHSA-rcc6-v4r6-gj4m", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1."}], "id": "CVE-2026-30873", "lastModified": "2026-03-20T13:39:46.493", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:31.950", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"}, {"source": "security-advisories@github.com", "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "openwrt: jsonpath: OpenWrt Project jsonpath: Memory leak in `jp_get_token` function leading to Denial of Service", "id": "2449301", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449301"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.5", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in the `jsonpath` component of the OpenWrt Project. The `jp_get_token` function, which processes input expressions, contains a memory leak vulnerability. This occurs when dynamically allocated memory used for extracting string literals, field labels, or regular expressions is not properly released after being copied to a new object. This oversight can lead to a gradual depletion of available memory, potentially resulting in a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-30873", "public_date": "2026-03-19T22:01:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30873\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30873\nhttps://github.com/openwrt/openwrt/releases/tag/v24.10.6\nhttps://github.com/openwrt/openwrt/releases/tag/v25.12.1\nhttps://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.12.0-rc1,25.12.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,24.10.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openwrt", "source": "cna", "vendor": "openwrt"}, "product": "openwrt", "vendor": "openwrt"}], "analysis": {"en": {"generated_at": "2026-03-20T01:51:20.216305+00:00", "value": {"mitigation_remediation": ["Verify the current OpenWrt release on the device.", "If the release is older than 24.10.6 or 25.12.1, upgrade to at least those versions or apply the corresponding patch released in those updates.", "Confirm that the jsonpath component has been rebuilt and the memory leak is no longer present by monitoring system memory usage.", "If an immediate update is not feasible, restrict or sanitize externally supplied JSONPath expressions to limit resource consumption and monitor for abnormal memory growth."], "summary": {"action": "Patch", "impact": "Memory Leak (potential DoS)"}, "threat_synthesis": {"affected_systems": "All OpenWrt Project releases prior to v24.10.6 and v25.12.1 are affected. The issue is fixed in those two update releases and any later versions that incorporate the same patch.", "description_and_impact": "The vulnerability is present in the jp_get_token function of OpenWrt\u2019s jsonpath implementation. Dynamic memory allocation is used for string literals, field labels, and regular expressions, but the allocated memory is never released after being copied to a new jp_opcode structure, resulting in a memory leak. This weakness corresponds to CWE\u2011401 and CWE\u2011772 and could cause escalating memory consumption leading to system instability or crashes.", "risk_and_exploitability": "The CVSS score is 2.4, indicating low severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, implying no evidence of widespread exploitation. The likely attack vector requires an attacker to supply a crafted JSONPath expression that the system processes, which only increases memory usage but does not compromise confidentiality or integrity. Consequently, the overall risk is limited to service availability, with a moderate threat if the attacker can repeatedly target the device."}}}}, "created": "2026-03-20T08:55:24.036420+00:00", "updated": "2026-03-20T11:05:46.316445+00:00", "vendors": ["openwrt", "openwrt$PRODUCT$openwrt"]}