Intel

AIKIDO-2026-487725

WolverineFx is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2026

53

Medium Risk

This Affects:

DOTNETWolverineFx
0.8.2 - 6.9.0
Fixed in 6.10.0
Are you affected? Scan for Free

TL;DR

The message handler pipeline's last-resort exception handler in HandlerPipeline.InvokeAsync performs unguarded recovery work, acknowledging the failed envelope with CompleteAsync and logging the exception without protecting against failures in that recovery path. When an inbound message drives the application's deserialization into resource exhaustion such as an OutOfMemoryException, the acknowledgement and logging calls reallocate at the memory ceiling and rethrow, so the exception escapes the pipeline and faults the receiver loop. The listener stops and the host exits cleanly, which an orchestrator reads as a successful shutdown and restarts straight back into the same unacknowledged poison message, producing a persistent crash loop from a single message. The fix moves recovery into a guarded helper that contains secondary failures so the listener stays alive and keeps processing other messages.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

WolverineFx is vulnerable to Denial of Service (DoS) in versions 0.8.2 - 6.9.0.

How to fix this

Upgrade the WolverineFx library to the patch version.