CVE-2026-1990
📋 TL;DR
A null pointer dereference vulnerability in oatpp versions up to 1.3.1 allows local attackers to cause denial of service through application crashes. This affects systems running vulnerable oatpp-based applications where an attacker has local access to trigger the flaw.
💻 Affected Systems
- oatpp
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Application crash leading to denial of service, potentially disrupting services that depend on the oatpp framework.
Likely Case
Local denial of service through application crashes when malicious input triggers the null pointer dereference.
If Mitigated
Minimal impact if proper input validation and error handling are implemented, though the underlying vulnerability remains.
🎯 Exploit Status
Exploit has been publicly disclosed and requires local access. The vulnerability is straightforward to trigger once local access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: Yes
Instructions:
1. Monitor oatpp GitHub repository for patches. 2. Apply official patch when available. 3. Restart affected services after patching.
🔧 Temporary Workarounds
Implement input validation
allAdd additional input validation and null checks in application code that uses oatpp::data::type::ObjectWrapper
Restrict local access
allImplement strict access controls to limit local users who can interact with oatpp applications
🧯 If You Can't Patch
- Implement network segmentation to limit access to oatpp applications
- Deploy monitoring for application crashes and restart services automatically
🔍 How to Verify
Check if Vulnerable:
Check oatpp version in your application dependencies or build configuration. If version is 1.3.1 or earlier, you are vulnerable.Check Version:
Check your project's dependency files (CMakeLists.txt, package.json, etc.) for oatpp versionVerify Fix Applied:
Verify oatpp version is updated beyond 1.3.1 once patch is available.📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults
- Null pointer exception logs
- Unexpected service restarts
Network Indicators:
- No network indicators - local exploit only
SIEM Query:
Search for: 'segmentation fault' OR 'null pointer' OR 'oatpp crash' in application logs