Cyber Posture

CVE-2026-1949

Critical

Published: 24 April 2026

Published
24 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1949 is a critical-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Deltaww (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates the stack buffer overflow by enforcing validation of GET/PUT request sizes and contents in the web service handler to prevent incorrect buffer size calculations.

SI-16 Memory Protection good match
prevent

Implements memory protections such as stack canaries, ASLR, and DEP to prevent exploitation of the stack-based buffer overflow for arbitrary code execution.

SI-2 Flaw Remediation good match
prevent

Requires timely patching of the flawed buffer size calculation in the AS320T web service as addressed in the Delta advisory PCSA-2026-00006.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Stack buffer overflow in unauthenticated web service handler enables remote code execution against a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service.

Deeper analysisAI

CVE-2026-1949 affects Delta Electronics AS320T, where the GET/PUT request handler in the web service performs an incorrect calculation of the buffer size on the stack. This flaw, tied to CWE-131 (Incorrect Calculation of Buffer Size), was published on 2026-04-24 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Remote attackers require only network access to exploit this vulnerability, with low attack complexity, no authentication privileges, and no user interaction needed. Exploitation via crafted GET or PUT requests to the web service can lead to high confidentiality, integrity, and availability impacts, likely enabling arbitrary code execution through stack-based buffer overflow.

Delta Electronics advisory PCSA-2026-00006 addresses CVE-2026-1949 alongside related vulnerabilities (CVE-2026-1950, 1951, 1952) in AS320T, providing details on mitigations; the document is available at https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00006_AS320T%20Multiple%20vulnerabilities%20(CVE-2026-1949,%201950,%201951,%201952).pdf.

Details

CWE(s)
CWE-131

Affected Products

Deltaww
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-66216Shared CWE-131
CVE-2026-20911Shared CWE-131
CVE-2026-1188Shared CWE-131
CVE-2026-20049Shared CWE-131
CVE-2025-1861Shared CWE-131
CVE-2019-25555Shared CWE-131
CVE-2026-41676Shared CWE-131
CVE-2024-11425Shared CWE-131
CVE-2024-8361Shared CWE-131
CVE-2026-33984Shared CWE-131

References