CVE-2026-25791: Sliver has DNS C2 OTP Bypass that Allows Unauthenticated Session Flooding and Denial of Service

February 6, 2026

The DNS C2 listener accepts unauthenticated TOTP bootstrap messages and allocates server-side DNS sessions without validating OTP values, even when EnforceOTP is enabled. Because sessions are stored without a cleanup/expiry path in this flow, an unauthenticated remote actor can repeatedly create sessions and drive memory exhaustion.

References

github.com/BishopFox/sliver
github.com/BishopFox/sliver/commit/2b65089b27c553e79e69f1067cad1339e4f3d937
github.com/BishopFox/sliver/security/advisories/GHSA-wxrw-gvg8-fqjp
github.com/advisories/GHSA-wxrw-gvg8-fqjp
nvd.nist.gov/vuln/detail/CVE-2026-25791

Code Behaviors & Features

Detect and mitigate CVE-2026-25791 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →