Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CADk+mPBTM+VcNFT=bKyOFLaXTEAB9esSbUXgJfSYEv5E6=7WYg@mail.gmail.com>
Date: Tue, 23 Jun 2026 17:15:54 +0200
From: Rainer Gerhards <rgerhards@...adiscon.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-55556: rsyslog imhttp Basic Auth heap overflow

Hello,

We are publishing CVE-2026-55556 for a heap overflow in the optional
rsyslog imhttp input module.

imhttp is a contributed rsyslog plugin. It is not part of typical default
rsyslog installations, is seldom installed in production deployments, and is
not frequently packaged by distributions. Systems that do not build, package,
install, load, and configure imhttp are not affected.

The issue is in the HTTP Basic Authentication parser used by imhttp. Older
code used:

    auth->pworkbuf = calloc(0, len);

when decoding an oversized Basic Authentication header, instead of allocating
len bytes. If imhttp Basic Authentication was enabled, a remote client able to
reach the imhttp listener could trigger heap memory corruption. The practical
expected impact is denial of service; stronger impact would depend on platform,
allocator behavior, compiler options, and process hardening.

Affected configurations require all of the following:

- rsyslog built with the contributed imhttp module
- imhttp installed and available
- imhttp loaded and configured
- HTTP Basic Authentication enabled for the affected imhttp endpoint
- attacker access to that HTTP endpoint

Default rsyslog configurations do not load imhttp.

The affected upstream code path was removed in rsyslog 8.2604.0 by commit:

    acde2ba25ea33816694b787859f4a727a247b6d6
    imhttp: add route-scoped API key authentication

That change was primarily a feature enhancement and general imhttp auth
refactor adding route-scoped API key authentication and mixed auth selection.
As is now common in rsyslog development, nearby hardening was done as part of
that work. In this case, the old Basic Authentication parser and its dynamic
work-buffer allocation were replaced with bounded parsing, including a cap on
Basic Authentication header size.

For downstreams maintaining older branches that do not take the broader auth
refactor, the reporter-provided minimal targeted fix is:

diff --git a/contrib/imhttp/imhttp.c b/contrib/imhttp/imhttp.c
index d0b8a18b6..c0298856c 100644
--- a/contrib/imhttp/imhttp.c
+++ b/contrib/imhttp/imhttp.c
@@ -702,7 +702,7 @@ static int parse_auth_header(struct mg_connection
*conn, struct auth_s *auth) {
     size_t len = apr_base64_decode_len((const char *)src);
     auth->pworkbuf = auth->workbuf;
     if (len > sizeof(auth->workbuf)) {
-        auth->pworkbuf = calloc(0, len);
+        auth->pworkbuf = calloc(1, len);
         auth->workbuf_len = len;
     }
     len = apr_base64_decode(auth->pworkbuf, src);

Credit: reported by 0xseiryuu, who also provided the minimal targeted fix
shown above.

References:

- CVE-2026-55556
- GHSA-947w-69ph-mc2r
- upstream refactor:
  https://github.com/rsyslog/rsyslog/commit/acde2ba25ea33816694b787859f4a727a247b6d6

Regards,
Rainer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.