cbcvebase.
CVE-2026-3509
published 2026-03-24

CVE-2026-3509: An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system…

high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial‑of‑service (DoS) condition.

Affected

15 ranges
VendorProductVersion rangeFixed in
codesyscodesys_control_for_beaglebone_sl>= 4.1.0.0 < 4.21.0.04.21.0.0
codesyscodesys_control_for_empc-a_imx6_sl>= 4.1.0.0 < 4.21.0.04.21.0.0
codesyscodesys_control_for_iot2000_sl>= 4.1.0.0 < 4.21.0.04.21.0.0
codesyscodesys_control_for_linux_arm_sl>= 4.1.0.0 < 4.21.0.04.21.0.0
codesyscodesys_control_for_linux_sl>= 4.1.0.0 < 4.21.0.04.21.0.0
codesyscodesys_control_for_pfc100_sl>= 4.1.0.0 < 4.21.0.04.21.0.0
codesyscodesys_control_for_pfc200_sl>= 4.1.0.0 < 4.21.0.04.21.0.0
codesyscodesys_control_for_plcnext_sl>= 4.1.0.0 < 4.21.0.04.21.0.0
codesyscodesys_control_for_raspberry_pi_sl>= 4.1.0.0 < 4.21.0.04.21.0.0
codesyscodesys_control_for_wago_touch_panels_600_sl>= 4.1.0.0 < 4.21.0.04.21.0.0
codesyscodesys_control_rte>= 3.5.17.0 < 3.5.22.03.5.22.0
codesyscodesys_control_rte_sl>= 3.5.17.0 < 3.5.22.03.5.22.0
codesyscodesys_control_win>= 3.5.17.0 < 3.5.22.03.5.22.0
codesyscodesys_runtime_toolkit>= 3.5.17.0 < 3.5.22.03.5.22.0
codesyscodesys_virtual_control_sl>= 4.1.0.0 < 4.21.0.04.21.0.0