CVE-2023-26151: 
Python vulnerability analysis and mitigation

CVE-2023-26151 affects versions of the asyncua package before 0.9.96. The vulnerability was discovered during PhD research experiments and was disclosed on June 9, 2023. This vulnerability allows attackers to trigger a Denial of Service (DoS) condition in asyncua servers by sending malformed packets (Snyk Security).

The vulnerability exists in the datareceived function within the binaryserverasyncio.py file. When a malformed packet with a null size is sent, the server enters an infinite loop due to improper handling of packet sizes. Specifically, when the header.headersize + header.body_size equals zero, the buffer never updates, trapping the server in an endless loop. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) (Snyk Security).

When exploited, this vulnerability results in a total loss of availability of the asyncua server. No other clients can reach the server during the attack, and for devices with limited resources, it can lead to a complete system crash. The server gradually consumes more and more memory resources while stuck in the infinite loop (Snyk Security, GitHub Issue).

The vulnerability has been fixed in asyncua version 0.9.96. Users should upgrade to this version or higher to protect against this security issue. The fix includes proper handling of malformed packets and closing connections on error (GitHub Release).