CVE-2026-25791: Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service

February 6, 2026 (updated February 9, 2026)

The DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion.

References

github.com/BishopFox/sliver
github.com/BishopFox/sliver/commit/2b65089b27c553e79e69f1067cad1339e4f3d937
github.com/BishopFox/sliver/releases/tag/v1.7.0
github.com/BishopFox/sliver/security/advisories/GHSA-wxrw-gvg8-fqjp
github.com/advisories/GHSA-wxrw-gvg8-fqjp
nvd.nist.gov/vuln/detail/CVE-2026-25791

Code Behaviors & Features

Detect and mitigate CVE-2026-25791 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →