CVE-2026-8047
Awaiting Analysis Awaiting Analysis - Queue
Improper Length Check Leads to DoS in Network Device

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: CERT VDE

Description
The affected products perform improper length checking when parsing incoming HTTP requests, resulting in a size-limited out-of-bounds write. An unauthenticated remote attacker can exploit this flaw to cause a denial of service via a system crash on the affected device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-8047
EUVD
EUVD-2026-31800
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
codesys control to 3.5.22.20 (inc)
codesys control to 4.21.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-8047 vulnerability affects multiple CODESYS Control products due to improper bounds checking in the CmpWebServer component.

This flaw allows an unauthenticated remote attacker to send a specially crafted HTTP request that triggers a size-limited out-of-bounds write.

As a result, the CODESYS Control Runtime crashes, causing a denial of service on the affected device.

The issue only impacts systems where the web server is active, which requires a running application with enabled Web Visualization.

Detection Guidance

This vulnerability affects systems running CODESYS Control products with the web server active, specifically when Web Visualization is enabled. Detection involves identifying if the affected CODESYS Control Runtime versions are in use and if the web server component (CmpWebServer) is running.

Since the vulnerability is triggered by specially crafted HTTP requests causing out-of-bounds writes and crashes, monitoring for unusual HTTP requests or system crashes related to the web server may help detect exploitation attempts.

Specific commands are not provided in the available resources, but general steps include checking running processes for CODESYS Control Runtime and verifying the version installed to determine if it is vulnerable.

Mitigation Strategies

Immediate mitigation involves updating the affected CODESYS Control products to the fixed versions: 3.5.22.20 or 4.21.0.0, depending on the product platform.

Additionally, if possible, disable the web server component or Web Visualization feature until the update can be applied, as the vulnerability only impacts systems with the web server active.

Monitoring network traffic for suspicious HTTP requests and restricting access to the web server may also reduce the risk of exploitation.

Impact Analysis

An unauthenticated remote attacker can exploit this vulnerability to cause a denial of service by crashing the affected device.

This means that the system running the vulnerable CODESYS Control product could become unavailable, potentially disrupting operations that depend on it.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8047. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart