Cyber Resilience

CVE-2026-1507

High

Published: 10 February 2026

Published
10 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0028 19.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1507 is a high-severity Uncaught Exception (CWE-248) vulnerability in Cisa (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-1507 is a vulnerability stemming from an uncaught exception (CWE-248) in affected products, enabling an unauthenticated attacker to remotely crash core PI services and cause a denial-of-service condition. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high impact on availability with no requirements for privileges or user interaction.

An unauthenticated attacker can exploit this vulnerability over the network with low complexity, triggering the uncaught exception to crash core PI services. Successful exploitation results solely in a denial-of-service, disrupting service availability without compromising confidentiality or integrity.

For mitigation details, refer to the CISA ICS advisory at https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-03.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The affected products are vulnerable to an uncaught exception that could allow an unauthenticated attacker to remotely crash core PI services resulting in a denial-of-service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct remote exploitation of uncaught exception to crash services matches Endpoint DoS via application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31870Shared CWE-248
CVE-2025-20176Shared CWE-248
CVE-2026-32314Shared CWE-248
CVE-2026-32770Shared CWE-248
CVE-2026-34943Shared CWE-248
CVE-2026-44001Shared CWE-248
CVE-2026-43988Shared CWE-248
CVE-2026-24175Shared CWE-248
CVE-2025-20171Shared CWE-248
CVE-2026-44905Shared CWE-248

Affected Assets

Cisa
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-11 requires proper error and exception handling to prevent uncaught exceptions from crashing core services as exploited in this CVE.

prevent

SC-5 provides denial-of-service protection to limit the effects of remote unauthenticated attacks that crash services, directly addressing the CVE's availability impact.

prevent

SI-2 ensures timely flaw remediation, including patching the specific uncaught exception vulnerability in affected products.

References