CVE-2026-34388: Authenticated Denial of Service via Unhandled gRPC Log Type in Fleet Launcher
Vulnerability ID: CVE-2026-34388
CVSS Score: 6.6
Published: 2026-03-30
Fleet Device Management versions prior to 4.81.0 contain a Denial of Service (DoS) vulnerability in the gRPC launcher endpoint. An enrolled host can submit an unexpected log type value that triggers an unhandled Go panic, crashing the entire server process and disrupting all MDM operations.
TL;DR
A flaw in Fleet's gRPC log handling allows authenticated devices to send malformed log types, causing a Go panic that terminates the Fleet server process and results in a complete denial of service.
Technical Details
- CWE ID: CWE-703
- Attack Vector: Network (Authenticated gRPC)
- CVSS 4.0 Score: 6.6
- Impact: Denial of Service (Process Crash)
- Exploit Status: None
- EPSS Score: 0.00042
- KEV Status: Not Listed
Affected Systems
- Fleet Device Management (fleetdm)
-
Fleet: < 4.81.0 (Fixed in:
4.81.0)
Mitigation Strategies
- Upgrade Fleet server to version 4.81.0 or later.
- Implement robust process monitoring and automated restart mechanisms for the Fleet server service.
- Monitor application logs for Go runtime panics associated with the server/service package.
Remediation Steps:
- Review current Fleet server version in deployment.
- Schedule a maintenance window for the upgrade process.
- Backup the Fleet database and server configuration files.
- Deploy Fleet version 4.81.0 using standard deployment procedures (e.g., Docker, binary replacement).
- Verify successful deployment by confirming active connections from enrolled hosts.
References
- GitHub Security Advisory: GHSA-w254-4hp5-7cvv
- NVD Record: CVE-2026-34388
- Fleet Release Notes v4.81.0
- CVE.org Record: CVE-2026-34388
- OffSec Radar Analysis
Read the full report for CVE-2026-34388 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)