CVE-2026-3509

CWE-134 — Uncontrolled Format String3 documents3 sources

Severity

7.5HIGH

EPSS

0.1%

top 71.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Codesys Codesys Control FOR Beaglebone SL Codesys Codesys Control FOR Empc-a/imx6 SL Codesys Codesys Control FOR Iot2000 SL +12 more

Timeline

PublishedMar 24

Description

An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial‑of‑service (DoS) condition.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages15 packages

▶CVEListV5codesys/codesys_control_rte_(sl)3.5.17.0 — 3.5.22.0

▶CVEListV5codesys/codesys_control_win_(sl)3.5.17.0 — 3.5.22.0

▶CVEListV5codesys/codesys_virtual_control_sl4.1.0.0 — 4.21.0.0

▶CVEListV5codesys/codesys_control_for_linux_sl4.1.0.0 — 4.21.0.0

▶CVEListV5codesys/codesys_control_for_pfc100_sl4.1.0.0 — 4.21.0.0

🔴Vulnerability Details

CVEList

CODESYS Control Audit Log Format String DoS↗2026-03-24

▶

GHSA

GHSA-34rr-qp2j-p4q7: An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime syst↗2026-03-24

▶