Cyber Resilience

CVE-2026-22904

Critical

Published: 09 February 2026

Published
09 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0054 41.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22904 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Certvde (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-22904, published on 2026-02-09, is a stack buffer overflow vulnerability stemming from improper length handling during the parsing of multiple cookie fields, including TRACKID. An unauthenticated remote attacker can supply oversized cookie values to trigger the overflow. The issue is classified under CWE-121 (Stack-based Buffer Overflow) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high confidentiality, integrity, and availability impacts.

The attack scenario involves an unauthenticated attacker over networks with low complexity and no user interaction required. By crafting and sending HTTP requests with excessively large cookie values, the attacker can cause a stack buffer overflow, leading to a denial-of-service condition or possible remote code execution if the overflow is exploited further.

Mitigation details are available in the referenced advisory at https://certvde.com/de/advisories/VDE-2026-004.

EU & UK References

Vulnerability details

Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denial‑of‑service condition and possible remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote stack buffer overflow in cookie parsing enables exploitation of a public-facing application for DoS or potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-38422Shared CWE-121
CVE-2025-11783Shared CWE-121
CVE-2025-54491Shared CWE-121
CVE-2024-39359Shared CWE-121
CVE-2026-42469Shared CWE-121
CVE-2020-37159Shared CWE-121
CVE-2024-39603Shared CWE-121
CVE-2024-36258Shared CWE-121
CVE-2024-51138Shared CWE-121
CVE-2025-69763Shared CWE-121

Affected Assets

Certvde
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the stack buffer overflow vulnerability by identifying, reporting, and applying patches for improper cookie length handling.

prevent

Requires validation of cookie input lengths to prevent oversized values from triggering the buffer overflow during parsing.

prevent

Implements memory protections like stack canaries and ASLR to block exploitation of the stack buffer overflow for RCE or DoS.

References