CVE-2026-6643 | THREATINT

Description

A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to execute arbitrary code as the web server user. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

PUBLISHED Reserved 2026-04-20 | Published 2026-04-20 | Updated 2026-04-20 | Assigner ASUSTOR1

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Problem types

CWE-121 Stack-based buffer overflow

Product status

Default status

unaffected

4.1.0 (custom)

affected

5.0.0 (custom)

affected

Credits

YU-XIANG HUANG (mlgzackfly) finder

References

www.asustor.com/security/security_advisory_detail?id=54 vendor-advisory

cve.org (CVE-2026-6643)

nvd.nist.gov (CVE-2026-6643)

Download JSON