CVE-2025-52494

HIGH

Adacore Ada Web Server < 26.0 - Denial of Service via Malformed TLS ClientHello

Title source: llm

Description

Adacore Ada Web Server (AWS) before 25.2 is vulnerable to a denial-of-service (DoS) condition due to improper handling of SSL handshakes during connection initialization. When a client initiates an HTTPS connection, the server performs the SSL handshake before assigning the connection to a processing slot. However, there is no specific timeout set for this phase, and the server uses the default socket timeout, which is effectively infinite. An attacker can exploit this by sending a malformed TLS ClientHello message with incorrect length values. This causes the server to wait indefinitely for data that never arrives, blocking the worker thread (Line) handling the connection. By opening multiple such connections, up to the server's maximum limit, the attacker can exhaust all available working threads, preventing the server from handling new, legitimate requests.

References (2)

Core 2

Core References

Product

https://adacore.com

Technical Description, Vendor Advisory

https://docs.adacore.com/corp/security-advisories/SEC.AWS-0095-v1.pdf

Scores

CVSS v3 7.5

EPSS 0.0033

EPSS Percentile 24.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770 CWE-400

Status published

Products (1)

adacore/ada_web_server < 26.0

Published Sep 03, 2025

Tracked Since Feb 18, 2026