CVE-2026-30656
Published: 16 April 2026
Summary
CVE-2026-30656 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-30656 is a NULL pointer dereference vulnerability (CWE-476) in fio (Flexible I/O Tester) version 3.41. The issue arises when parsing job files containing the fdp_pli option without an argument. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value, resulting in a segmentation fault and process crash. Published on 2026-04-16, it has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no effects on confidentiality or integrity.
A remote attacker with no privileges or user interaction can exploit the vulnerability by supplying a malicious job file that includes the fdp_pli option without an argument to a vulnerable fio instance. This triggers the NULL pointer dereference during job file parsing, causing a denial-of-service condition through process termination via segmentation fault.
Mitigation details, including patches, are discussed in the fio GitHub issue at https://github.com/axboe/fio/issues/2055 and a related proof-of-concept gist at https://gist.github.com/Criticayon/eb5e69163bfa4ce684e62ed5c939b76e.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23245
Vulnerability details
A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the input pointer and calls strdup() on a NULL value when the option…
more
is specified without an argument. This results in a segmentation fault and process crash.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL pointer dereference in job file parser directly enables adversaries to crash the fio process via malicious input, matching Application or System Exploitation for DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of flaws like the NULL pointer dereference in fio's str_fdp_pli_cb() function, directly mitigating the CVE via patching.
SI-10 mandates validation of information inputs such as malformed job files with fdp_pli option lacking an argument, preventing the NULL pointer dereference during parsing.
SI-11 ensures effective error handling that avoids catastrophic failures like segmentation faults when strdup() is called on a NULL value in fio's callback function.