CVE-2026-35227
Received Received - Intake
Unauthenticated TCP Connection Exhaustion in CODESYS Modbus TCP Server

Publication date: 2026-05-12

Last updated on: 2026-05-12

Assigner: CERT VDE

Description
An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is successfully exploited, preventing legitimate clients from establishing new connections.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-12
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-35227
EUVD
EUVD-2026-29390
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
codesys modbus_tcp_server to 4.6.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-35227 vulnerability affects the CODESYS Modbus TCP Server, specifically versions prior to 4.6.0.0. It is caused by improper resource management in the Modbus TCP Server protocol stack library, which can be exploited through a race condition in connection handling.

An unauthenticated remote attacker can trigger this race condition to exhaust the maximum number of TCP connections configured on the server. This prevents new connections from being accepted, effectively denying legitimate clients access to the server.

The vulnerability only exists in CODESYS projects that include a Modbus TCP server configuration.

Impact Analysis

This vulnerability can be exploited by an unauthenticated remote attacker to exhaust all available TCP connections on the CODESYS Modbus TCP Server.

As a result, legitimate clients will be unable to establish new connections to the server, causing a denial of service (DoS) condition.

This can disrupt normal operations and communication with the affected device or system, potentially impacting industrial control processes that rely on the Modbus TCP Server.

Detection Guidance

The vulnerability involves exhaustion of all available TCP connections in the CODESYS Modbus TCP Server stack due to a race condition in connection handling. Detection would involve monitoring the number of active TCP connections to the Modbus TCP Server and identifying if the maximum configured connections are being reached unexpectedly, preventing new legitimate connections.

Specific commands are not provided in the available resources, but typical network or system commands to monitor TCP connections include using tools like netstat or ss on the server hosting the Modbus TCP Server to check current TCP connection states and counts.

Mitigation Strategies

To mitigate this vulnerability, update the CODESYS Modbus TCP Server to version 4.6.0.0 or later.

Additionally, update the local Modbus TCP Server in the device tree and perform a download of the updated CODESYS application to the PLC.

The fix can be obtained through the CODESYS Installer, CODESYS Store, or the CODESYS Update area.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35227. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart