How is CVE-2026-42542 exploited?

Network reachability (required): The attacker must reach the taosd RPC service over the network; the vulnerability is exposed to any host that can connect to the listening port. Authentication (not-required): No credentials or session state are needed; the crafted RPC packet can be sent before any authentication step. Victim interaction (not-required): No user or administrator action is needed to trigger the crash; the attacker acts entirely on their own. Attack complexity (info): Exploit complexity is low: the crash is triggered by a single crafted packet with no race conditions, memory-layout dependencies, or environmental preconditions.

What is the impact of CVE-2026-42542?

The taosd server process crashes immediately on receipt of the crafted packet, taking the database offline. All connected clients lose their sessions and any in-flight queries or writes are dropped. Dependent services that rely on TDengine for time-series storage (IoT pipelines, monitoring systems, etc.) lose database connectivity until the process is manually or automatically restarted.

Back to search

HIGHCVE-2026-42542Published 2026-06-10Modified 2026-06-11CNA GitHub_M

CVE-2026-42542: TDengine has an integer underflow in uvConnMayGetUserInfo() allows unauthenticated remote crash (DoS)

TDengine is an open source, time-series database optimized for Internet of Things devices. In versions 3.4.0.0 through 3.4.1.5, an unauthenticated remote attacker can crash the taosd server process by sending a single crafted RPC packet. No credentials or prior session state are required. Version 3.4.1.6 fixes the issue.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer underflow in the uvConnMayGetUserInfo() function of TDengine, the open-source time-series database, allows an unauthenticated remote attacker to crash the taosd server process. The vulnerability is reachable over the network with no credentials and no user interaction required, by sending a single crafted RPC packet. Successful exploitation causes a full denial of service of the database process. No upstream fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle TDengine 3.4.0.0 through 3.4.1.5. Any pipeline stage or registry scan that includes an affected image will surface the finding automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to determine urgency and routing. The finding can be directed to the appropriate team inbox within a customer org based on workload ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment the upstream fix is released. In the interim, customers can apply compensating controls through HarborGuard's network-policy recommendations to restrict exposure of the taosd RPC port.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the taosd RPC service over the network; the vulnerability is exposed to any host that can connect to the listening port.
AuthenticationNot required
No credentials or session state are needed; the crafted RPC packet can be sent before any authentication step.
Victim interactionNot required
No user or administrator action is needed to trigger the crash; the attacker acts entirely on their own.
Attack complexityDetail
Exploit complexity is low: the crash is triggered by a single crafted packet with no race conditions, memory-layout dependencies, or environmental preconditions.

Blast Radius

The taosd server process crashes immediately on receipt of the crafted packet, taking the database offline.
All connected clients lose their sessions and any in-flight queries or writes are dropped.
Dependent services that rely on TDengine for time-series storage (IoT pipelines, monitoring systems, etc.) lose database connectivity until the process is manually or automatically restarted.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has shipped yet, HarborGuard continuously re-evaluates the advisory on each ingest cycle and will surface a patched-image rebuild the moment version 3.4.1.6 or a later fix is published. Until then, customers are encouraged to use HarborGuard's network-policy isolation recommendations to restrict inbound access to the taosd RPC port to trusted source addresses only, reducing the attack surface without requiring a code change. For environments where auto-remediation is enabled, the patched rebuild, regression-test run, and PR against affected workloads will be initiated automatically as soon as a fix version becomes available upstream, with a median time from CVE publication to merged patch PR of around 90 minutes for HIGH-severity issues.

See how HarborGuard automates this

Affected packages

taosdata / TDengine
>= 3.4.0.0, < 3.4.1.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified