Cyber Resilience

CVE-2026-33850

High

Published: 24 March 2026

Published
24 March 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33850 is a high-severity Out-of-bounds Write (CWE-787) vulnerability. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33850 is an out-of-bounds write vulnerability (CWE-787) in the WujekFoliarz DualSenseY-v2 software. It affects versions of DualSenseY-v2 prior to 54. The vulnerability was published on 2026-03-24 and has a CVSS v3.1 base score of 7.8.

The vulnerability requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), with unchanged scope (S:U) and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). A local attacker could exploit it by tricking a user into performing a specific action, potentially leading to arbitrary code execution, data corruption, or system crashes on the affected system.

A GitHub pull request at https://github.com/WujekFoliarz/DualSenseY-v2/pull/66 addresses the issue, providing a patch for affected versions. Security practitioners should update to DualSenseY-v2 version 54 or later to mitigate the vulnerability.

EU & UK References

Vulnerability details

Out-of-bounds Write vulnerability in WujekFoliarz DualSenseY-v2.This issue affects DualSenseY-v2: before 54.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204 User Execution Execution
An adversary may rely upon specific actions by a user in order to gain execution.
Why these techniques?

Out-of-bounds write in client software (DualSenseY-v2) with AV:L/UI:R/PR:N directly enables client-side exploitation for code execution when a user is tricked into an action (T1203 Exploitation for Client Execution + T1204 User Execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21042Shared CWE-787
CVE-2026-0122Shared CWE-787
CVE-2026-22852Shared CWE-787
CVE-2026-29774Shared CWE-787
CVE-2019-25705Shared CWE-787
CVE-2026-2792Shared CWE-787
CVE-2026-42484Shared CWE-787
CVE-2016-20043Shared CWE-787
CVE-2018-25251Shared CWE-787
CVE-2019-25629Shared CWE-787

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely identification, reporting, and application of the vendor patch for DualSenseY-v2 version 54 or later to remediate the out-of-bounds write.

prevent

Implements memory safeguards like address space layout randomization and data execution prevention to block exploitation of the out-of-bounds write for arbitrary code execution or crashes.

prevent

Restricts user installation and execution of vulnerable third-party software like pre-v54 DualSenseY-v2, preventing deployment of the affected version.

References