Cyber Resilience

CVE-2026-22903

Critical

Published: 09 February 2026

Published
09 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0067 47.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22903 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Certvde (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22903, published on 2026-02-09, is a stack buffer overflow vulnerability (CWE-121) affecting a modified version of the lighttpd web server. The issue arises when an unauthenticated remote attacker sends a crafted HTTP request containing an overly long SESSIONID cookie, triggering the overflow and causing the server to crash. Due to missing stack protections, this can potentially enable remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

An unauthenticated attacker with network access to the affected server can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. Exploitation leads to a denial-of-service condition by crashing the server, and the lack of stack protections raises the risk of full remote code execution, potentially allowing the attacker to gain control over the server.

Mitigation details are available in the advisory published by CERT VDE at https://certvde.com/de/advisories/VDE-2026-004.

EU & UK References

Vulnerability details

An unauthenticated remote attacker can send a crafted HTTP request containing an overly long SESSIONID cookie. This can trigger a stack buffer overflow in the modified lighttpd server, causing it to crash and potentially enabling remote code execution due to…

more

missing stack protections.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack buffer overflow in public-facing lighttpd web server exploitable by unauthenticated remote attackers via crafted HTTP request, enabling potential RCE or DoS consistent with exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-38422Shared CWE-121
CVE-2025-11783Shared CWE-121
CVE-2025-54491Shared CWE-121
CVE-2024-39359Shared CWE-121
CVE-2026-42469Shared CWE-121
CVE-2020-37159Shared CWE-121
CVE-2024-39603Shared CWE-121
CVE-2024-36258Shared CWE-121
CVE-2024-51138Shared CWE-121
CVE-2025-69763Shared CWE-121

Affected Assets

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation patches the stack buffer overflow in the modified lighttpd server, directly preventing both DoS crashes and potential RCE from oversized SESSIONID cookies.

prevent

Memory protection mechanisms like stack canaries, ASLR, and DEP address the missing stack protections, blocking RCE even if the buffer overflow occurs.

prevent

Information input validation checks the length and format of SESSIONID cookies in HTTP requests, mitigating the trigger for the buffer overflow.

References