CVE-2026-22904
published 2026-02-09CVE-2026-22904: Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denial‑of‑service condition and possible remote code execution.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wago | 0852-1322 | — | — |
| wago | 0852-1322 | 0.0.0 – 2.64 | — |
| wago | 0852-1328 | — | — |
| wago | 0852-1328 | 0.0.0 – 2.64 | — |