Cyber Resilience

CVE-2026-1949

Critical

Published: 24 April 2026

Published
24 April 2026
Modified
11 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0061 44.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-1949 is a critical-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Deltaww As320T Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-1949 affects Delta Electronics AS320T, where the GET/PUT request handler in the web service performs an incorrect calculation of the buffer size on the stack. This flaw, tied to CWE-131 (Incorrect Calculation of Buffer Size), was published on 2026-04-24 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Remote attackers require only network access to exploit this vulnerability, with low attack complexity, no authentication privileges, and no user interaction needed. Exploitation via crafted GET or PUT requests to the web service can lead to high confidentiality, integrity, and availability impacts, likely enabling arbitrary code execution through stack-based buffer overflow.

Delta Electronics advisory PCSA-2026-00006 addresses CVE-2026-1949 alongside related vulnerabilities (CVE-2026-1950, 1951, 1952) in AS320T, providing details on mitigations; the document is available at https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Multiple%20vulnerabilities%20(CVE-2026-1949,%201950,%201951,%201952).pdf.

EU & UK References

Vulnerability details

Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack buffer overflow in unauthenticated web service handler enables remote code execution against a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1951Same product: Deltaww As320T
CVE-2026-1952Same product: Deltaww As320T
CVE-2026-1950Same product: Deltaww As320T
CVE-2025-62581Same vendor: Deltaww
CVE-2025-62582Same vendor: Deltaww
CVE-2025-15103Same vendor: Deltaww
CVE-2026-3630Same vendor: Deltaww
CVE-2026-20911Shared CWE-131
CVE-2026-1361Same vendor: Deltaww
CVE-2026-3094Same vendor: Deltaww

Affected Assets

deltaww
as320t firmware
≤ 1.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the stack buffer overflow by enforcing validation of GET/PUT request sizes and contents in the web service handler to prevent incorrect buffer size calculations.

prevent

Implements memory protections such as stack canaries, ASLR, and DEP to prevent exploitation of the stack-based buffer overflow for arbitrary code execution.

prevent

Requires timely patching of the flawed buffer size calculation in the AS320T web service as addressed in the Delta advisory PCSA-2026-00006.

References