CVE-2026-4436
Published: 09 April 2026
Summary
CVE-2026-4436 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Sharepoint (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-9 (Service Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses CWE-306 by prohibiting critical Modbus register manipulations for odorant injection without identification and authentication.
Requires the odorant injection service to authenticate remote Modbus clients before processing register value changes.
Implements network segmentation and boundary protections to block unauthorized remote Modbus packets from reaching the vulnerable system.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication for critical Modbus register manipulation enables remote unauthenticated exploitation of public-facing ICS applications and remote services to alter control logic.
NVD Description
A low-privileged remote attacker can send Modbus packets to manipulate register values that are inputs to the odorant injection logic such that too much or too little odorant is injected into a gas line.
Deeper analysisAI
CVE-2026-4436 is a vulnerability (CWE-306: Missing Authentication for Critical Function) in odorant injection logic within gas line systems that use Modbus protocol for register management. A low-privileged remote attacker can send Modbus packets to manipulate register values serving as inputs to this logic, resulting in excessive or insufficient odorant injection. The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N) and was published on 2026-04-09. Affected components are outlined in CISA ICS Advisory ICSA-26-099-02, with details linked to Linc Energy Systems.
A network-accessible attacker requires no privileges or user interaction to exploit this issue remotely with low complexity. By crafting and transmitting Modbus packets, the attacker can arbitrarily alter critical register values, directly influencing the odorant injection process. This enables injection of too much or too little odorant into the gas line, potentially compromising gas detection safety mechanisms that rely on odorant for leak identification.
Advisories including CISA ICSA-26-099-02 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-02), the associated CSAF JSON (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-099-02.json), and Linc Energy Systems documentation (https://lincenergysystems-my.sharepoint.com/:f:/p/h_baer/IgDYaHIhXpyLQJvnKPd6b80TAUgV7Lp8qmVYBFUb0lmr7ak?e=JLeADm) provide mitigation guidance. Security practitioners should review these for vendor-recommended patches, configuration hardening, network segmentation, and Modbus access controls to prevent unauthorized packet injection.
Details
- CWE(s)