CVE-2026-22903
Awaiting Analysis Awaiting Analysis - Queue
Stack Buffer Overflow in Lighttpd SESSIONID Cookie Enables RCE

Publication date: 2026-02-09

Last updated on: 2026-02-09

Assigner: CERT VDE

Description
An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to missing stack protections.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-02-09
Generated
2026-06-16
AI Q&A
2026-02-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-22903
EUVD
EUVD-2026-6925
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lighttpd lighttpd *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-22903 is a critical stack-based buffer overflow vulnerability in a modified lighttpd server used in the WAGO 852-1328 Industrial-Managed-Switch firmware version 2.64 and earlier. An unauthenticated remote attacker can send a specially crafted HTTP request containing an overly long SESSIONID cookie, which triggers the overflow. This can cause the server to crash and potentially allows the attacker to execute arbitrary code remotely.'}, {'type': 'paragraph', 'content': "The vulnerability also enables bypassing authentication controls and obtaining plaintext administrative credentials due to weaknesses in the device's web-based management interface."}] [1]

Impact Analysis

This vulnerability can have severe impacts including remote code execution by attackers, crashing the web service, bypassing authentication mechanisms, and exposing plaintext administrative credentials. Such impacts can lead to full compromise of the affected device, unauthorized access, disruption of services, and potential further exploitation within the network.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for unusually long SESSIONID cookies in HTTP requests sent to the affected lighttpd server or the WAGO 852-1328 Industrial-Managed-Switch web interface.

Network detection can involve capturing HTTP traffic and inspecting cookie lengths for anomalies.

On the system hosting the vulnerable service, checking for crashes or abnormal behavior of the lighttpd server process may indicate exploitation attempts.

Specific commands are not provided in the available resources.

Mitigation Strategies

The immediate recommended mitigation is to update the firmware of the affected device (WAGO 852-1328 Industrial-Managed-Switch) to version 02.65 or later, which addresses this and other related vulnerabilities.

Until the update can be applied, restricting access to the web-based management interface and monitoring for suspicious activity may help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22903. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart