CVE-2024-38638

HIGH

QNAP QTS and QuTS hero - Out-of-bounds Write

Title source: llm

Description

An out-of-bounds write vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to modify or corrupt memory. QTS 5.2.x/QuTS hero h5.2.x are not affected. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QuTS hero h5.1.9.2954 build 20241120 and later

References (1)

Core 1

Core References

Vendor Advisory

https://www.qnap.com/en/security-advisory/qsa-24-52

Scores

CVSS v3 7.2

EPSS 0.0038

EPSS Percentile 59.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-787

Status published

Products (29)

qnap/qts 5.1.0.2348 build_20230325

qnap/qts 5.1.0.2399 build_20230515

qnap/qts 5.1.0.2418 build_20230603

qnap/qts 5.1.0.2444 build_20230629

qnap/qts 5.1.0.2466 build_20230721

qnap/qts 5.1.1.2491 build_20230815

qnap/qts 5.1.2.2533 build_20230926

qnap/qts 5.1.3.2578 build_20231110

qnap/qts 5.1.4.2596 build_20231128

qnap/qts 5.1.5.2645 build_20240116

... and 19 more

Published Mar 07, 2025

Tracked Since Feb 18, 2026