{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22904", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2026-01-13T08:33:25.683Z", "datePublished": "2026-02-09T07:40:00.484Z", "dateUpdated": "2026-02-09T15:34:53.334Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "0852-1322", "vendor": "WAGO", "versions": [{"lessThanOrEqual": "2.64", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "0852-1328", "vendor": "WAGO", "versions": [{"lessThanOrEqual": "2.64", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "0852-1322", "vendor": "WAGO", "versions": [{"status": "affected", "version": "2.64"}]}, {"defaultStatus": "unaffected", "product": "0852-1328", "vendor": "WAGO", "versions": [{"status": "affected", "version": "2.64"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Diconium"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denial\u2011of\u2011service condition and possible remote code execution.<br>"}], "value": "Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denial\u2011of\u2011service condition and possible remote code execution."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-02-09T07:40:00.484Z"}, "references": [{"url": "https://certvde.com/de/advisories/VDE-2026-004"}], "source": {"advisory": "VDE-2026-004", "defect": ["CERT@VDE#641934"], "discovery": "UNKNOWN"}, "title": "Stack Overflow via Oversized Cookie Fields in lighttpd", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:34:33.982565Z", "id": "CVE-2026-22904", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:34:53.334Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22904", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-09T15:34:33.982565Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:34:45.941Z"}}], "cna": {"title": "Stack Overflow via Oversized Cookie Fields in lighttpd", "source": {"defect": ["CERT@VDE#641934"], "advisory": "VDE-2026-004", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Diconium"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WAGO", "product": "0852-1322", "versions": [{"status": "affected", "version": "0.0.0", "versionType": "semver", "lessThanOrEqual": "2.64"}], "defaultStatus": "unaffected"}, {"vendor": "WAGO", "product": "0852-1328", "versions": [{"status": "affected", "version": "0.0.0", "versionType": "semver", "lessThanOrEqual": "2.64"}], "defaultStatus": "unaffected"}, {"vendor": "WAGO", "product": "0852-1322", "versions": [{"status": "affected", "version": "2.64"}], "defaultStatus": "unaffected"}, {"vendor": "WAGO", "product": "0852-1328", "versions": [{"status": "affected", "version": "2.64"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://certvde.com/de/advisories/VDE-2026-004"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denial\u2011of\u2011service condition and possible remote code execution.", "supportingMedia": [{"type": "text/html", "value": "Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denial\u2011of\u2011service condition and possible remote code execution.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-02-09T07:40:00.484Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22904", "state": "PUBLISHED", "dateUpdated": "2026-02-09T15:34:53.334Z", "dateReserved": "2026-01-13T08:33:25.683Z", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "datePublished": "2026-02-09T07:40:00.484Z", "assignerShortName": "CERTVDE"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denial\u2011of\u2011service condition and possible remote code execution."}, {"lang": "es", "value": "El manejo inadecuado de la longitud al analizar m\u00faltiples campos de cookie (incluido TRACKID) permite a un atacante remoto no autenticado enviar valores de cookie de tama\u00f1o excesivo y desencadenar un desbordamiento de b\u00fafer de pila, lo que resulta en una condici\u00f3n de denegaci\u00f3n de servicio y posible ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2026-22904", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "info@cert.vde.com", "type": "Primary"}]}, "published": "2026-02-09T08:16:11.387", "references": [{"source": "info@cert.vde.com", "url": "https://certvde.com/de/advisories/VDE-2026-004"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "info@cert.vde.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.64]"}}], "product": "0852-1322", "vendor": "wago"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.64"}}], "product": "0852-1322", "vendor": "wago"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,2.64]"}}], "product": "0852-1328", "vendor": "wago"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.64"}}], "product": "0852-1328", "vendor": "wago"}], "analysis": {"en": {"generated_at": "2026-04-17T21:32:07.361317+00:00", "value": {"mitigation_remediation": ["Upgrade the device firmware or lighttpd component to a version that includes the stack length check fix provided by WAGO.", "If an immediate firmware update is not available, deploy a network perimeter filter (IDS/IPS or reverse proxy) to block HTTP requests with cookie fields that exceed the allowed size, thereby preventing the overflow trigger.", "Disable, if permissible, HTTP cookie support or truncate cookie values at the application or proxy layer to eliminate the overwrite condition.", "Monitor system logs for abnormal cookie size patterns and investigate any repeated attempts to trigger the overflow condition."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected systems are devices manufactured by WAGO, specifically model series 0852\u20111322 and 0852\u20111328. No specific firmware or software versions are listed in the vendor advisory, so all current releases of these models that incorporate the vulnerable lighttpd component are potentially impacted.", "description_and_impact": "The vulnerability is caused by improper length handling when parsing multiple cookie fields, including TRACKID, in the lighttpd web server. An unauthenticated attacker can send oversized cookie values that overflow a stack buffer, which can lead to a denial\u2011of\u2011service and, in the worst case, allow remote code execution. This flaw is identified as a stack-based buffer overflow (CWE\u2011121).", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical level of severity, while the EPSS score of less than 1% suggests that the probability of exploitation at this time is low. The vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is over the network: an attacker crafts an HTTP request containing oversized cookie fields and sends it to the affected lighttpd instance. No authentication is required, so the threat can be launched remotely against any system that is reachable and is using the vulnerable software component. This makes the risk high, especially if the device is exposed to the internet or an untrusted network."}}}}, "created": "2026-02-10T12:23:50.615862+00:00", "title": "Stack Overflow via Oversized Cookie Fields in lighttpd", "updated": "2026-04-17T21:45:28.603558+00:00", "vendors": ["wago", "wago$PRODUCT$0852-1322", "wago$PRODUCT$0852-1328"]}