Cyber Resilience

CVE-2026-30656

High

Published: 16 April 2026

Published
16 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0009 24.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30656 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-30656 is a NULL pointer dereference vulnerability (CWE-476) in fio (Flexible I/O Tester) version 3.41. The issue arises when parsing job files containing the fdp_pli option without an argument. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value, resulting in a segmentation fault and process crash. Published on 2026-04-16, it has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no effects on confidentiality or integrity.

A remote attacker with no privileges or user interaction can exploit the vulnerability by supplying a malicious job file that includes the fdp_pli option without an argument to a vulnerable fio instance. This triggers the NULL pointer dereference during job file parsing, causing a denial-of-service condition through process termination via segmentation fault.

Mitigation details, including patches, are discussed in the fio GitHub issue at https://github.com/axboe/fio/issues/2055 and a related proof-of-concept gist at https://gist.github.com/Criticayon/eb5e69163bfa4ce684e62ed5c939b76e.

EU & UK References

Vulnerability details

A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option…

more

is specified without an argument. This results in a segmentation fault and process crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference in job file parser directly enables adversaries to crash the fio process via malicious input, matching Application or System Exploitation for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-57156Shared CWE-476
CVE-2025-63647Shared CWE-476
CVE-2025-69624Shared CWE-476
CVE-2024-55193Shared CWE-476
CVE-2025-63648Shared CWE-476
CVE-2026-25795Shared CWE-476

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of flaws like the NULL pointer dereference in fio's str_fdp_pli_cb() function, directly mitigating the CVE via patching.

prevent

SI-10 mandates validation of information inputs such as malformed job files with fdp_pli option lacking an argument, preventing the NULL pointer dereference during parsing.

prevent

SI-11 ensures effective error handling that avoids catastrophic failures like segmentation faults when strdup() is called on a NULL value in fio's callback function.

References