CVE-2026-22904

Summary

Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denial‑of‑service condition and possible remote code execution.

Affected Software

VendorProductVersion RangeStatus
WAGO0852-13220.0.0 <= 2.64affected
WAGO0852-13280.0.0 <= 2.64affected
WAGO0852-13222.64affected
WAGO0852-13282.64affected

Weaknesses

  • CWE-121: CWE-121 Stack-based Buffer Overflow

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References