Common Weakness Enumeration

CWE-121

Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

CVE-2026-34702 (GCVE-0-2026-34702)

Vulnerability from cvelistv5 – Published: 2026-06-09 17:43 – Updated: 2026-06-10 03:59
VLAI
Title
InDesign Desktop | Stack-based Buffer Overflow (CWE-121)
Summary
InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based Buffer Overflow (CWE-121)
Assigner
References
Impacted products
Vendor Product Version
Adobe InDesign Desktop Affected: 0 , ≤ 20.5.3 (semver)
Create a notification for this product.
Date Public
2026-06-09 17:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34702",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T03:59:38.542Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "InDesign Desktop",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "20.5.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "HIGH",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "LOCAL",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow (CWE-121)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T17:43:47.708Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/indesign/apsb26-58.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "InDesign Desktop | Stack-based Buffer Overflow (CWE-121)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2026-34702",
    "datePublished": "2026-06-09T17:43:47.708Z",
    "dateReserved": "2026-03-30T17:30:36.498Z",
    "dateUpdated": "2026-06-10T03:59:38.542Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34708 (GCVE-0-2026-34708)

Vulnerability from cvelistv5 – Published: 2026-06-09 17:49 – Updated: 2026-06-10 03:59
VLAI
Title
InCopy | Stack-based Buffer Overflow (CWE-121)
Summary
InCopy versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based Buffer Overflow (CWE-121)
Assigner
References
Impacted products
Vendor Product Version
Adobe InCopy Affected: 0 , ≤ 20.5.3 (semver)
Create a notification for this product.
Date Public
2026-06-09 17:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34708",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T03:59:04.694Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "InCopy",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "20.5.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "InCopy versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 7.8,
            "environmentalSeverity": "HIGH",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "HIGH",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "LOCAL",
            "modifiedAvailabilityImpact": "HIGH",
            "modifiedConfidentialityImpact": "HIGH",
            "modifiedIntegrityImpact": "HIGH",
            "modifiedPrivilegesRequired": "NONE",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "REQUIRED",
            "privilegesRequired": "NONE",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 7.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow (CWE-121)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T17:49:15.646Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/incopy/apsb26-59.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "InCopy | Stack-based Buffer Overflow (CWE-121)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2026-34708",
    "datePublished": "2026-06-09T17:49:15.646Z",
    "dateReserved": "2026-03-30T17:30:36.498Z",
    "dateUpdated": "2026-06-10T03:59:04.694Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35083 (GCVE-0-2026-35083)

Vulnerability from cvelistv5 – Published: 2026-06-03 10:41 – Updated: 2026-06-09 10:31
VLAI
Title
Stack buffer overflow in method bac-deviceobject
Summary
A remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
MBS Single-A Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-A Profibus Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-A x-link Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Single-X Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X CAN Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X DALI Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X KNX Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X LON Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X M-Bus Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X PROFINET Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X x-link Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X KNX+DALI Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X KNX+LON Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X KNX+M-Bus Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X PROFINET+DALI Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X PROFINET+KNX Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X PROFINET+LON Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X PROFINET+M-Bus Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
Credits
Damian Pfammatter from Armasuisse Cyber-Defence campus Daniel Hulliger from ArmasuisseCyber-Defence campus
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35083",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T13:13:32.326556Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T14:07:23.610Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Single-A",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-A Profibus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-A x-link",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Single-X",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X CAN",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X KNX",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X PROFINET",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X x-link",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+KNX",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Damian Pfammatter from Armasuisse Cyber-Defence campus"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Daniel Hulliger from ArmasuisseCyber-Defence campus"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root.\u003c/p\u003e"
            }
          ],
          "value": "A remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T10:31:42.916Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
        }
      ],
      "source": {
        "advisory": "VDE-2026-039",
        "defect": [
          "CERT@VDE#642009"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Stack buffer overflow in method bac-deviceobject",
      "x_generator": {
        "engine": "Vulnogram 0.4.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2026-35083",
    "datePublished": "2026-06-03T10:41:44.226Z",
    "dateReserved": "2026-04-01T08:28:27.142Z",
    "dateUpdated": "2026-06-09T10:31:42.916Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35084 (GCVE-0-2026-35084)

Vulnerability from cvelistv5 – Published: 2026-06-03 10:42 – Updated: 2026-06-09 10:31
VLAI
Title
Stack buffer overflow in method dali-devconfig
Summary
A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
MBS Single-A Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-A Profibus Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-A x-link Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Single-X Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X CAN Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X DALI Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X KNX Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X LON Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X M-Bus Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X PROFINET Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X x-link Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X KNX+DALI Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X KNX+LON Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X KNX+M-Bus Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X PROFINET+DALI Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X PROFINET+KNX Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X PROFINET+LON Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X PROFINET+M-Bus Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
Credits
Damian Pfammatter from Armasuisse Cyber-Defence campus Daniel Hulliger from Armasuisse Cyber-Defence campus
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35084",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T19:14:32.995589Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T19:14:54.458Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Single-A",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-A Profibus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-A x-link",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Single-X",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X CAN",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X KNX",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X PROFINET",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X x-link",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+KNX",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Damian Pfammatter from Armasuisse Cyber-Defence campus"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Daniel Hulliger from Armasuisse Cyber-Defence campus"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root.\u003c/p\u003e"
            }
          ],
          "value": "A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T10:31:00.391Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
        }
      ],
      "source": {
        "advisory": "VDE-2026-039",
        "defect": [
          "CERT@VDE#642009"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Stack buffer overflow in method dali-devconfig",
      "x_generator": {
        "engine": "Vulnogram 0.4.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2026-35084",
    "datePublished": "2026-06-03T10:42:03.287Z",
    "dateReserved": "2026-04-01T08:28:27.142Z",
    "dateUpdated": "2026-06-09T10:31:00.391Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35085 (GCVE-0-2026-35085)

Vulnerability from cvelistv5 – Published: 2026-06-03 10:42 – Updated: 2026-06-09 10:29
VLAI
Title
Stack buffer overflow in method gdv-serverconfig
Summary
A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
MBS Single-A Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-A Profibus Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-A x-link Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Single-X Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X CAN Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X DALI Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X KNX Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X LON Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X M-Bus Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X PROFINET Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Double-X x-link Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X KNX+DALI Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X KNX+LON Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X KNX+M-Bus Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X PROFINET+DALI Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X PROFINET+KNX Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X PROFINET+LON Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
MBS Triple-X PROFINET+M-Bus Affected: V1_0_0_0 , < V6_0_0_7 (custom)
Create a notification for this product.
Credits
Damian Pfammatter from Armasuisse Cyber-Defence campus. Daniel Hulliger from Armasuisse Cyber-Defence campus.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35085",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T12:38:10.423532Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T12:38:18.598Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Single-A",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-A Profibus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-A x-link",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Single-X",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X CAN",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X KNX",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X PROFINET",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X x-link",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+KNX",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_0_0_7",
              "status": "affected",
              "version": "V1_0_0_0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_0_0_7",
                  "versionStartIncluding": "V1_0_0_0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Damian Pfammatter from Armasuisse Cyber-Defence campus."
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Daniel Hulliger from Armasuisse Cyber-Defence campus."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root.\u003c/p\u003e"
            }
          ],
          "value": "A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T10:29:31.629Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
        }
      ],
      "source": {
        "advisory": "VDE-2026-039",
        "defect": [
          "CERT@VDE#642009"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Stack buffer overflow in method gdv-serverconfig",
      "x_generator": {
        "engine": "Vulnogram 0.4.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2026-35085",
    "datePublished": "2026-06-03T10:42:22.835Z",
    "dateReserved": "2026-04-01T08:28:27.142Z",
    "dateUpdated": "2026-06-09T10:29:31.629Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35553 (GCVE-0-2026-35553)

Vulnerability from cvelistv5 – Published: 2026-04-13 04:03 – Updated: 2026-04-13 15:00
VLAI
Summary
Bluetooth ACPI Drivers provided by Dynabook Inc. contain a stack-based buffer overflow vulnerability. An attacker may execute arbitrary code by modifying certain registry values.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based buffer overflow
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35553",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T15:00:14.215479Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T15:00:22.042Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TOSRFEC.SYS",
          "vendor": "Dynabook Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "product": "DRFEC.SYS",
          "vendor": "Dynabook Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "v11.0.0.0 and earlier"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Bluetooth ACPI Drivers provided by Dynabook Inc. contain a stack-based buffer overflow vulnerability. An attacker may execute arbitrary code by modifying certain registry values."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based buffer overflow",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T04:03:43.009Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://global.sharp/corporate/info/product-security/advisory-list/2026-001/"
        },
        {
          "url": "https://corporate.jp.sharp/info/product-security/advisory-list/2026-001/"
        },
        {
          "url": "https://jvn.jp/en/vu/JVNVU96334293/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2026-35553",
    "datePublished": "2026-04-13T04:03:43.009Z",
    "dateReserved": "2026-04-03T08:21:59.910Z",
    "dateUpdated": "2026-04-13T15:00:22.042Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3613 (GCVE-0-2026-3613)

Vulnerability from cvelistv5 – Published: 2026-03-06 01:02 – Updated: 2026-03-09 15:31
VLAI
Title
Wavlink WL-NU516U1 login.cgi sub_401A0C stack-based overflow
Summary
A vulnerability was identified in Wavlink WL-NU516U1 V240425. This vulnerability affects the function sub_401A0C of the file /cgi-bin/login.cgi. Such manipulation of the argument ipaddr leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.349221 vdb-entrytechnical-description
https://vuldb.com/?ctiid.349221 signaturepermissions-required
https://vuldb.com/?submit.755341 third-party-advisory
https://github.com/Wlz1112/WAVLINK-NU516-V240425/… exploit
Impacted products
Vendor Product Version
Wavlink WL-NU516U1 Affected: V240425
    cpe:2.3:o:wavlink:wl-nu516u1_firmware:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
haimianbaobao (VulDB User) VulDB
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3613",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T15:31:07.689650Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T15:31:15.166Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:o:wavlink:wl-nu516u1_firmware:*:*:*:*:*:*:*:*"
          ],
          "product": "WL-NU516U1",
          "vendor": "Wavlink",
          "versions": [
            {
              "status": "affected",
              "version": "V240425"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "haimianbaobao (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was identified in Wavlink WL-NU516U1 V240425. This vulnerability affects the function sub_401A0C of the file /cgi-bin/login.cgi. Such manipulation of the argument ipaddr leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 8.3,
            "vectorString": "AV:N/AC:L/Au:M/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Memory Corruption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T01:02:07.731Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-349221 | Wavlink WL-NU516U1 login.cgi sub_401A0C stack-based overflow",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.349221"
        },
        {
          "name": "VDB-349221 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.349221"
        },
        {
          "name": "Submit #755341 | Wavlink NU516U1 V240425 Stack-based Buffer Overflow",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.755341"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/Wlz1112/WAVLINK-NU516-V240425/blob/main/ipaddr_Stack%20Buffer%20Overflow.md"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-05T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-03-05T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-03-05T19:26:07.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Wavlink WL-NU516U1 login.cgi sub_401A0C stack-based overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-3613",
    "datePublished": "2026-03-06T01:02:07.731Z",
    "dateReserved": "2026-03-05T18:20:51.728Z",
    "dateUpdated": "2026-03-09T15:31:15.166Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3677 (GCVE-0-2026-3677)

Vulnerability from cvelistv5 – Published: 2026-03-07 22:02 – Updated: 2026-03-11 16:28
VLAI
Title
Tenda FH451 setcfm fromSetCfm stack-based overflow
Summary
A vulnerability was found in Tenda FH451 1.0.0.9. This impacts the function fromSetCfm of the file /goform/setcfm. The manipulation of the argument funcname/funcpara1 results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.349579 vdb-entrytechnical-description
https://vuldb.com/?ctiid.349579 signaturepermissions-required
https://vuldb.com/?submit.765329 third-party-advisory
https://github.com/Litengzheng/vul_db/blob/main/F… exploit
https://www.tenda.com.cn/ product
Impacted products
Vendor Product Version
Tenda FH451 Affected: 1.0.0.9
    cpe:2.3:o:tenda:fh451_firmware:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
LtzHuster (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3677",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T16:25:47.536252Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T16:28:13.917Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:o:tenda:fh451_firmware:*:*:*:*:*:*:*:*"
          ],
          "product": "FH451",
          "vendor": "Tenda",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0.9"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "LtzHuster (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Tenda FH451 1.0.0.9. This impacts the function fromSetCfm of the file /goform/setcfm. The manipulation of the argument funcname/funcpara1 results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 9,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Memory Corruption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-07T22:02:11.224Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-349579 | Tenda FH451 setcfm fromSetCfm stack-based overflow",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.349579"
        },
        {
          "name": "VDB-349579 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.349579"
        },
        {
          "name": "Submit #765329 | Tenda FH451 V1.0.0.9 Stack-based Buffer Overflow",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.765329"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/Litengzheng/vul_db/blob/main/FH451/vul_61/README.md"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.tenda.com.cn/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-06T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-03-06T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-03-06T22:27:11.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Tenda FH451 setcfm fromSetCfm stack-based overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-3677",
    "datePublished": "2026-03-07T22:02:11.224Z",
    "dateReserved": "2026-03-06T21:22:00.791Z",
    "dateUpdated": "2026-03-11T16:28:13.917Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3678 (GCVE-0-2026-3678)

Vulnerability from cvelistv5 – Published: 2026-03-07 22:32 – Updated: 2026-03-11 16:28
VLAI
Title
Tenda FH451 AdvSetWan sub_3C434 stack-based overflow
Summary
A vulnerability was determined in Tenda FH451 1.0.0.9. Affected is the function sub_3C434 of the file /goform/AdvSetWan. This manipulation of the argument wanmode/PPPOEPassword causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.349580 vdb-entrytechnical-description
https://vuldb.com/?ctiid.349580 signaturepermissions-required
https://vuldb.com/?submit.765330 third-party-advisory
https://github.com/Litengzheng/vul_db/blob/main/F… exploit
https://www.tenda.com.cn/ product
Impacted products
Vendor Product Version
Tenda FH451 Affected: 1.0.0.9
    cpe:2.3:o:tenda:fh451_firmware:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
LtzHuster (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3678",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T16:25:45.449050Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T16:28:08.366Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:o:tenda:fh451_firmware:*:*:*:*:*:*:*:*"
          ],
          "product": "FH451",
          "vendor": "Tenda",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0.9"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "LtzHuster (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was determined in Tenda FH451 1.0.0.9. Affected is the function sub_3C434 of the file /goform/AdvSetWan. This manipulation of the argument wanmode/PPPOEPassword causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 9,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Memory Corruption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-07T22:32:09.041Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-349580 | Tenda FH451 AdvSetWan sub_3C434 stack-based overflow",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.349580"
        },
        {
          "name": "VDB-349580 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.349580"
        },
        {
          "name": "Submit #765330 | Tenda FH451 V1.0.0.9 Stack-based Buffer Overflow",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.765330"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/Litengzheng/vul_db/blob/main/FH451/vul_62/README.md"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.tenda.com.cn/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-06T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-03-06T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-03-06T22:27:13.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Tenda FH451 AdvSetWan sub_3C434 stack-based overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-3678",
    "datePublished": "2026-03-07T22:32:09.041Z",
    "dateReserved": "2026-03-06T21:22:04.174Z",
    "dateUpdated": "2026-03-11T16:28:08.366Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-3679 (GCVE-0-2026-3679)

Vulnerability from cvelistv5 – Published: 2026-03-07 22:32 – Updated: 2026-03-11 16:28
VLAI
Title
Tenda FH451 QuickIndex formQuickIndex stack-based overflow
Summary
A vulnerability was identified in Tenda FH451 1.0.0.9. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex. Such manipulation of the argument mit_linktype/PPPOEPassword leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.349581 vdb-entrytechnical-description
https://vuldb.com/?ctiid.349581 signaturepermissions-required
https://vuldb.com/?submit.765331 third-party-advisory
https://github.com/Litengzheng/vul_db/blob/main/F… exploit
https://www.tenda.com.cn/ product
Impacted products
Vendor Product Version
Tenda FH451 Affected: 1.0.0.9
    cpe:2.3:o:tenda:fh451_firmware:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
LtzHuster (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-3679",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T16:25:43.168139Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T16:28:02.770Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:o:tenda:fh451_firmware:*:*:*:*:*:*:*:*"
          ],
          "product": "FH451",
          "vendor": "Tenda",
          "versions": [
            {
              "status": "affected",
              "version": "1.0.0.9"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "LtzHuster (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was identified in Tenda FH451 1.0.0.9. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex. Such manipulation of the argument mit_linktype/PPPOEPassword leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 9,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Memory Corruption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-07T22:32:12.264Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-349581 | Tenda FH451 QuickIndex formQuickIndex stack-based overflow",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.349581"
        },
        {
          "name": "VDB-349581 | CTI Indicators (IOB, IOC, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.349581"
        },
        {
          "name": "Submit #765331 | Tenda FH451 V1.0.0.9 Stack-based Buffer Overflow",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.765331"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/Litengzheng/vul_db/blob/main/FH451/vul_63/README.md"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.tenda.com.cn/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-06T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-03-06T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-03-06T22:27:14.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Tenda FH451 QuickIndex formQuickIndex stack-based overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-3679",
    "datePublished": "2026-03-07T22:32:12.264Z",
    "dateReserved": "2026-03-06T21:22:06.801Z",
    "dateUpdated": "2026-03-11T16:28:02.770Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation ID: MIT-10

Phases: Operation, Build and Compilation

Strategy: Environment Hardening

Description:

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation

Phase: Architecture and Design

Description:

  • Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation

Phase: Implementation

Description:

  • Implement and perform bounds checking on input.
Mitigation

Phase: Implementation

Description:

  • Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors.
Mitigation ID: MIT-11

Phases: Operation, Build and Compilation

Strategy: Environment Hardening

Description:

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].

No CAPEC attack patterns related to this CWE.

Back to CWE stats page