HIGH 7.5

CVE-2026-42542: TDengine RPC Integer Underflow Denial of Service

TDengine versions 3.4.0.0 through 3.4.1.5 contain a flaw that allows an attacker on the network to crash the taosd server process by sending a single specially crafted RPC packet. No authentication, login credentials, or prior interaction with the system is required—an attacker can trigger the crash from scratch. The vulnerability has been patched in version 3.4.1.6.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-191
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

TDengine is an open source, time-series database optimized for Internet of Things devices. In versions 3.4.0.0 through 3.4.1.5, an unauthenticated remote attacker can crash the taosd server process by sending a single crafted RPC packet. No credentials or prior session state are required. Version 3.4.1.6 fixes the issue.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from an integer underflow condition (CWE-191) in the TDengine RPC packet handling logic within affected versions. When a malicious RPC packet is received by the taosd daemon, the packet parsing logic fails to properly validate numeric boundaries, leading to an integer underflow that crashes the process. The attack surface is the unauthenticated RPC interface exposed on the network, and the lack of input validation or bounds checking allows a single crafted packet to trigger the crash without requiring authentication or a prior session.

Business impact

An attacker exploiting this vulnerability can deny service to any TDengine deployment running a vulnerable version. In production IoT environments where TDengine serves as the central time-series database, a crash of the taosd process immediately halts all data ingestion, queries, and downstream analytics dependent on that database. Recovery requires manual intervention to restart the service. For time-sensitive IoT applications (industrial monitoring, sensor telemetry, real-time analytics), even brief downtime can result in lost data, missed alerts, and operational disruption.

Affected systems

TDengine versions 3.4.0.0 through 3.4.1.5 are vulnerable. Version 3.4.1.6 and later contain the fix. Any deployment using TDengine in this version range—whether on-premises or cloud-hosted—is at risk if the taosd RPC interface is accessible from an untrusted network or the internet.

Exploitability

Exploitability is high. The attack requires no authentication, no prior knowledge of the target state, and no user interaction. A single network packet triggers the crash, making it trivial to automate. The barrier to exploitation is extremely low; an attacker with network access to the RPC port can launch the attack in seconds. However, the CVSS score reflects the impact (availability loss only, not confidentiality or integrity compromise).

Remediation

Upgrade TDengine to version 3.4.1.6 or later immediately. No workarounds exist short of restricting network access to the RPC interface via firewall rules or network segmentation. For organizations unable to patch immediately, isolate the taosd service behind a firewall and restrict RPC access to trusted internal networks only.

Patch guidance

Apply the patch by upgrading to TDengine version 3.4.1.6 or later. Consult the official TDengine release notes and vendor advisory for upgrade procedures specific to your deployment (clustered, single-node, containerized, etc.). Test the upgrade in a non-production environment first to ensure compatibility with your existing schemas and applications. Schedule the upgrade during a maintenance window, as restarting taosd will temporarily halt database operations.

Detection guidance

Monitor for unexpected taosd process crashes or restarts, particularly if they correlate with suspicious network traffic on the RPC port. Implement network-based IDS/IPS signatures to detect anomalous RPC packets destined for TDengine. Log all RPC connection attempts and monitor for sources sending packets to the taosd RPC port from unexpected IP addresses. After patching, verify version compliance via the TDengine version endpoint or package inventory tools.

Why prioritize this

This vulnerability merits high priority remediation due to the combination of zero-authentication access, trivial exploitability, and direct impact on availability in a critical infrastructure component. Although confidentiality and integrity are not affected, denial of service to a core database supporting IoT operations can cascade across dependent systems. The fix is straightforward (a version upgrade), and the attack is easily weaponized by any network-adjacent attacker.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects the availability impact (A:H) combined with a low attack complexity (AC:L), no authentication requirement (PR:N), and network-based attack vector (AV:N). The score appropriately penalizes the ease of exploitation but does not award points for confidentiality or integrity loss, as the vulnerability only enables denial of service. In the context of a critical time-series database, the business risk often exceeds the base CVSS rating.

Frequently asked questions

Can an attacker steal data or modify records using this vulnerability?

No. This vulnerability only causes the taosd process to crash; it does not leak data, enable unauthorized reads, or allow data modification. The impact is limited to availability—the database becomes unavailable until restarted.

Does the attack require the attacker to be on the same network as the TDengine server?

The attacker must have network connectivity to the taosd RPC port. If that port is exposed to the internet, an attacker from anywhere can launch the attack. If the port is restricted to internal networks only, the attacker must be on or able to reach the internal network.

What versions are safe?

TDengine version 3.4.1.6 and all subsequent releases contain the patch. Versions 3.4.0.0 through 3.4.1.5 are vulnerable. Verify your installed version using the TDengine CLI or version endpoint.

Is there a temporary workaround if we cannot patch immediately?

Yes. Restrict access to the RPC port (typically port 6030) using host-based firewalls or network ACLs. Allow only trusted internal clients to connect. This mitigates the attack surface until you can upgrade. However, patching remains the permanent solution.

This analysis is provided for informational purposes to support vulnerability assessment and risk prioritization. The vulnerability details, affected versions, and patch information are derived from the CVE record and vendor advisory. Organizations should verify all findings against their own environment and consult official TDengine documentation and security advisories before implementing remediation. SEC.co makes no warranty regarding the completeness or timeliness of this intelligence. Always test patches in a non-production environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).