GHSA-HJR9-WJ7V-7HV8
7.5
Sliver's Magic Number: Crashing C2 with a Single Packet
Alon Barad
Software EngineerJan 6, 2026·8 min read·2 visits
PoC Available
Executive Summary (TL;DR)
An unauthenticated attacker can send a huge HTTP request with a specially crafted nonce (any multiple of 65537) to the Sliver C2 server. This bypasses size checks, forcing the server to allocate massive amounts of memory, which crashes the process and terminates all active C2 sessions.
A critical vulnerability exists in the Sliver Command-and-Control (C2) framework that allows an unauthenticated, remote attacker to trigger a memory exhaustion condition, leading to a denial-of-service. The flaw stems from an unchecked code path for anonymous requests where the server reads the entire HTTP request body into memory without any size limits. This bypass is triggered by providing a specific 'magic number' as a nonce, effectively giving the attacker control over the server's memory allocation.
Technical Appendix
CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HAffected Systems
Sliver Command-and-Control (C2) Server
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Sliver Bishop Fox | Refer to vendor advisory | - |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-400 |
| CWE Name | Uncontrolled Resource Consumption |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| CVSS v3.1 Score | 7.5 (High) |
| Impact | Denial of Service |
| Exploit Status | Proof-of-Concept Available |
MITRE ATT&CK Mapping
CWE-400
Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, such as memory, which can lead to a denial of service when the resource is exhausted.