CVE-2025-58466

MEDIUM

QNAP OS - Use After Free

Title source: llm

Description

A use of uninitialized variable vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to denial of service conditions, or modify control flow in unexpected ways. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later

References (1)

[Vendor Advisory] https://www.qnap.com/en/security-advisory/qsa-26-05

Scores

CVSS v3 4.9

EPSS 0.0015

EPSS Percentile 34.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-457

Status published

Products (37)

qnap/qts 5.2.0.2737 build_20240417

qnap/qts 5.2.0.2744 build_20240424

qnap/qts 5.2.0.2782 build_20240601

qnap/qts 5.2.0.2802 build_20240620

qnap/qts 5.2.0.2823 build_20240711

qnap/qts 5.2.0.2851 build_20240808

qnap/qts 5.2.0.2860 build_20240817

qnap/qts 5.2.1.2930 build_20241025

qnap/qts 5.2.2.2950 build_20241114

qnap/qts 5.2.3.3006 build_20250108

... and 27 more

Published Feb 11, 2026

Tracked Since Feb 18, 2026