{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30873", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-06T00:04:56.698Z", "datePublished": "2026-03-19T22:01:03.867Z", "dateUpdated": "2026-03-21T03:26:08.591Z"}, "containers": {"cna": {"title": "OpenWrt Project jsonpath: Memory leak when processing strings, labels, and regexp tokens", "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "lang": "en", "description": "CWE-401: Missing Release of Memory after Effective Lifetime", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m"}, {"name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"}, {"name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"}], "affected": [{"vendor": "openwrt", "product": "openwrt", "versions": [{"version": ">= 25.12.0-rc1, < 25.12.1", "status": "affected"}, {"version": "< 24.10.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:01:03.867Z"}, "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1."}], "source": {"advisory": "GHSA-rcc6-v4r6-gj4m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-21T03:25:41.581578Z", "id": "CVE-2026-30873", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:26:08.591Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30873", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-21T03:25:41.581578Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:25:48.781Z"}}], "cna": {"title": "OpenWrt Project jsonpath: Memory leak when processing strings, labels, and regexp tokens", "source": {"advisory": "GHSA-rcc6-v4r6-gj4m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.4, "attackVector": "ADJACENT", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "openwrt", "product": "openwrt", "versions": [{"status": "affected", "version": ">= 25.12.0-rc1, < 25.12.1"}, {"status": "affected", "version": "< 24.10.6"}]}], "references": [{"url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m", "name": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6", "name": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1", "name": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401: Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T22:01:03.867Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30873", "state": "PUBLISHED", "dateUpdated": "2026-03-21T03:26:08.591Z", "dateReserved": "2026-03-06T00:04:56.698Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T22:01:03.867Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*", "matchCriteriaId": "12B5818C-BB4D-4486-9C53-7FCA8EF2EDA8", "versionEndExcluding": "24.10.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:openwrt:openwrt:*:*:*:*:*:*:*:*", "matchCriteriaId": "061FA3CA-10C0-4EF2-8566-E623964CAE79", "versionEndExcluding": "25.12.1", "versionStartIncluding": "25.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1."}, {"lang": "es", "value": "OpenWrt Project es un sistema operativo Linux dirigido a dispositivos embebidos. En versiones anteriores a ambas 24.10.6 y 25.12.1, la funci\u00f3n jp_get_token, que realiza an\u00e1lisis l\u00e9xico dividiendo las expresiones de entrada en tokens, contiene una vulnerabilidad de fuga de memoria al extraer literales de cadena, etiquetas de campo y expresiones regulares utilizando asignaci\u00f3n din\u00e1mica de memoria. Estos resultados extra\u00eddos se almacenan en una estructura jp_opcode, que se copia posteriormente a un objeto jp_opcode reci\u00e9n asignado mediante jp_alloc_op. Durante esta transferencia, si una cadena fue previamente extra\u00edda y almacenada en el jp_opcode inicial, se copia a la nueva asignaci\u00f3n pero la memoria original nunca se libera, resultando en una fuga de memoria. Este problema ha sido corregido en las versiones 24.10.6 y 25.12.1."}], "id": "CVE-2026-30873", "lastModified": "2026-03-24T14:11:53.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:31.950", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/openwrt/openwrt/releases/tag/v24.10.6"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/openwrt/openwrt/releases/tag/v25.12.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "openwrt: jsonpath: OpenWrt Project jsonpath: Memory leak in `jp_get_token` function leading to Denial of Service", "id": "2449301", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449301"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.5", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in the `jsonpath` component of the OpenWrt Project. The `jp_get_token` function, which processes input expressions, contains a memory leak vulnerability. This occurs when dynamically allocated memory used for extracting string literals, field labels, or regular expressions is not properly released after being copied to a new object. This oversight can lead to a gradual depletion of available memory, potentially resulting in a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-30873", "public_date": "2026-03-19T22:01:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30873\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30873\nhttps://github.com/openwrt/openwrt/releases/tag/v24.10.6\nhttps://github.com/openwrt/openwrt/releases/tag/v25.12.1\nhttps://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[25.12.0-rc1,25.12.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,24.10.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openwrt", "source": "cna", "vendor": "openwrt"}, "product": "openwrt", "vendor": "openwrt"}], "analysis": {"en": {"generated_at": "2026-03-24T15:29:03.014199+00:00", "value": {"mitigation_remediation": ["Upgrade OpenWrt to version 24.10.6 or 25.12.1 (or later) to apply the fixed JSONPath parser. ", "If upgrade is not immediately feasible, restrict the use of JSONPath processing to trusted inputs and monitor memory usage for abnormal growth. ", "Apply general best practices by ensuring the system firmware remains current and review logs for signs of memory exhaustion."], "summary": {"action": "Patch", "impact": "Memory Leak"}, "threat_synthesis": {"affected_systems": "The affected product is the OpenWrt Linux operating system designed for embedded devices, under the OpenWrt Project. Versions prior to the releases 24.10.6 and 25.12.1 are vulnerable. Users running earlier builds of OpenWrt should be aware that these systems expose an unpatched JSONPath memory leak.", "description_and_impact": "The vulnerability affects the OpenWrt JSONPath parser, where the jp_get_token function leaks memory while extracting string literals, field labels, and regular expressions. Dynamic memory allocation is used to store these extraction results in a jp_opcode structure. When the structure is subsequently copied to a new allocation via jp_alloc_op the original memory is never freed. This results in a memory leak that can accumulate over time, potentially exhausting system memory and causing a denial\u2011of\u2011service condition. The weakness is classified as CWE\u2011401 and CWE\u2011772, indicating an improper release and a code defect regarding resource management. The impact is limited to loss of memory resources; there is no direct compromise of confidentiality, integrity, or remote execution.", "risk_and_exploitability": "The CVSS score of 2.4 classifies the vulnerability as low severity, and the EPSS probability of less than 1% indicates a low likelihood of exploitation. It is not listed in the CISA KEV catalog. Exploitation would require repeated processing of crafted JSONPath expressions to bring the system to a state of memory exhaustion, thereby causing local denial of service. No remote code execution or privilege escalation is possible based on the available data. Overall, the risk is low, but escalation to a DoS attack is conceivable if the vulnerability is repeatedly triggered."}}}}, "created": "2026-03-20T08:55:24.036420+00:00", "updated": "2026-03-25T11:54:33.083142+00:00", "vendors": ["openwrt", "openwrt$PRODUCT$openwrt"]}