This paper identifies a novel vulnerability in antivirus/EDR telemetry processing pipelines: a fundamental mismatch between unbounded telemetry collection mechanisms and bounded backend processing capacity, exploitable for Denial-of-Analysis (DoA) attacks. To exploit this, the authors introduce Telemetry Complexity Attacks (TCAs)—a new attack paradigm that recursively generates deeply nested, ultra-large-scale process behavioral telemetry to overwhelm JSON/BSON serializers, database insertion logic, and frontend visualization layers, triggering boundary failures including data truncation, insertion errors, stack overflows, and UI unresponsiveness. The approach was validated across 12 mainstream antivirus and EDR products; seven exhibited confirmed vulnerabilities, two vendors received assigned CVEs (CVE-2025-61301, CVE-2025-61303), and multiple vendors subsequently issued patches or mitigation guidance.

Anti-malware systems rely on sandboxes, hooks, and telemetry pipelines, including collection agents, serializers, and database backends, to monitor program and system behavior. We show that these data-handling components constitute an exploitable attack surface that can lead to denial-of-analysis (DoA) states without disabling sensors or requiring elevated privileges. As a result, we present Telemetry Complexity Attacks (TCAs), a new class of vulnerabilities that exploit fundamental mismatches between unbounded collection mechanisms and bounded processing capabilities. Our method recursively spawns child processes to generate specially crafted, deeply nested, and oversized telemetry that stresses serialization and storage boundaries, as well as visualization layers, for example, JSON/BSON depth and size limits. Depending on the product, this leads to various inconsistent results, such as truncated or missing behavioral reports, rejected database inserts, serializer recursion and size errors, and unresponsive dashboards. In the latter cases, depending on the solution, the malware under test is either not recorded and/or not presented to the analysts. Therefore, instead of evading sensors, we break the pipeline that stores the data captured by the sensors. We evaluate our technique against twelve commercial and open-source malware analysis platforms and endpoint detection and response (EDR) solutions. Seven products fail in different stages of the telemetry pipeline; two vendors assigned CVE identifiers (CVE-2025-61301 and CVE-2025-61303), and others issued patches or configuration changes. We discuss root causes and propose mitigation strategies to prevent DoA attacks triggered by adversarial telemetry.