CVE-2026-6643 — CRITICAL (9.9)

Q: How severe is CVE-2026-6643?

CVE-2026-6643 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2026-6643?

Check the references section above for vendor advisories and patch information. Affected products include: Asustor Data Master.

Vulnerability Description

A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to execute arbitrary code as the web server user. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

CVSS Score

9.9

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Asustor	Data Master	>= 4.1.0.rhu2, < 4.3.3.RR42

Related Weaknesses (CWE)

CWE-121

References

https://www.asustor.com/security/security_advisory_detail?id=54Vendor Advisory

FAQ

What is CVE-2026-6643?

CVE-2026-6643 is a vulnerability with a CVSS score of 9.9 (CRITICAL). A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to th...

How severe is CVE-2026-6643?

CVE-2026-6643 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-6643?

Check the references section above for vendor advisories and patch information. Affected products include: Asustor Data Master.