Cyber Posture

CVE-2026-22904

Critical

Published: 09 February 2026

Published
09 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 38.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22904 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Certvde (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the stack buffer overflow vulnerability by identifying, reporting, and applying patches for improper cookie length handling.

SI-10 Information Input Validation good match
prevent

Requires validation of cookie input lengths to prevent oversized values from triggering the buffer overflow during parsing.

SI-16 Memory Protection good match
prevent

Implements memory protections like stack canaries and ASLR to block exploitation of the stack buffer overflow for RCE or DoS.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated remote stack buffer overflow in cookie parsing enables exploitation of a public-facing application for DoS or potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denial‑of‑service condition and possible remote code execution.

Deeper analysisAI

CVE-2026-22904, published on 2026-02-09, is a stack buffer overflow vulnerability stemming from improper length handling during the parsing of multiple cookie fields, including TRACKID. An unauthenticated remote attacker can supply oversized cookie values to trigger the overflow. The issue is classified under CWE-121 (Stack-based Buffer Overflow) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high confidentiality, integrity, and availability impacts.

The attack scenario involves an unauthenticated attacker over networks with low complexity and no user interaction required. By crafting and sending HTTP requests with excessively large cookie values, the attacker can cause a stack buffer overflow, leading to a denial-of-service condition or possible remote code execution if the overflow is exploited further.

Mitigation details are available in the referenced advisory at https://certvde.com/de/advisories/VDE-2026-004.

Details

CWE(s)
CWE-121

Affected Products

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-30871Shared CWE-121
CVE-2025-70225Shared CWE-121
CVE-2025-53521Shared CWE-121
CVE-2025-67187Shared CWE-121
CVE-2025-70222Shared CWE-121
CVE-2025-70220Shared CWE-121
CVE-2020-37120Shared CWE-121
CVE-2026-22214Shared CWE-121
CVE-2025-40795Shared CWE-121
CVE-2025-68706Shared CWE-121

References