CVE-2026-3509

HIGH

CODESYS Control Audit Log Format String DoS

Title source: cna

Description

An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial‑of‑service (DoS) condition.

References (1)

https://certvde.com/de/advisories/VDE-2026-018

Scores

CVSS v3 7.5

EPSS 0.0012

EPSS Percentile 30.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-134

Status published

Products (15)

CODESYS/CODESYS Control for BeagleBone SL 4.1.0.0 - 4.21.0.0

CODESYS/CODESYS Control for emPC-A/iMX6 SL 4.1.0.0 - 4.21.0.0

CODESYS/CODESYS Control for IOT2000 SL 4.1.0.0 - 4.21.0.0

CODESYS/CODESYS Control for Linux ARM SL 4.1.0.0 - 4.21.0.0

CODESYS/CODESYS Control for Linux SL 4.1.0.0 - 4.21.0.0

CODESYS/CODESYS Control for PFC100 SL 4.1.0.0 - 4.21.0.0

CODESYS/CODESYS Control for PFC200 SL 4.1.0.0 - 4.21.0.0

CODESYS/CODESYS Control for PLCnext SL 4.1.0.0 - 4.21.0.0

CODESYS/CODESYS Control for Raspberry Pi SL 4.1.0.0 - 4.21.0.0

CODESYS/CODESYS Control for WAGO Touch Panels 600 SL 4.1.0.0 - 4.21.0.0

... and 5 more

Published Mar 24, 2026

Tracked Since Mar 24, 2026