HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35084Published Modified CNA CERTVDE

CVE-2026-35084: Stack buffer overflow in method dali-devconfig

A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
V6_0_0_7
Affected Products
18

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack buffer overflow exists in the dali-devconfig method across multiple MBS device variants (Single-A, Double-A Profibus, Double-A x-link, Single-X, Double-X CAN, Double-X DALI, Double-X KNX, and Double-X LON) running firmware versions from V1_0_0_0 up to but not including V6_0_0_7. The vulnerability is reachable over the network by any authenticated user with standard (low-privilege) credentials, requiring no additional interaction. Successful exploitation gives the attacker full root-level control of the affected system. A patched-image rebuild at V6_0_0_7 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-35084 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built firmware-derived images, in both registry scans and active CI/CD pipeline checks.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.7 (HIGH) and weighting that score against each environment's compliance policy to determine urgency; triage tickets are routable to the appropriate team inbox within each customer organization based on policy configuration.

Available
Patch

A patched-image rebuild at V6_0_0_7 becomes available on HarborGuard for any environment found running an affected firmware version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the dali-devconfig service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.

  • AuthenticationRequired

    A valid low-privilege user account is sufficient to trigger the overflow; the CVSS vector specifies PR:L, so anonymous access alone is not enough.

  • Victim interactionNot required

    No user action or social engineering is needed; the CVSS vector specifies UI:N, so the attacker can exploit the service directly.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the CVSS vector specifies AC:L and AT:N, meaning no race conditions or special environmental circumstances are required.

Blast Radius

  • The attacker gains full root-level code execution on the affected MBS device, obtaining complete control over the operating system and all running processes.
  • All locally stored credentials, configuration data, and communication keys held on the device are readable by the attacker.
  • The attacker can modify firmware configuration, persisted device state, and any data written to storage on the device.
  • The device itself can be crashed or rendered inoperable, disrupting any building-automation or industrial protocol (DALI, KNX, LON, CAN, Profibus) traffic it is brokering.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35084 is active as of the CVE publication date of 2026-06-03, with images matched against the affected version range (V1_0_0_0 through pre-V6_0_0_7) across all registered customer environments. Where a customer's compliance policy permits auto-remediation, HarborGuard can trigger a rebuild at the fixed version V6_0_0_7, execute a regression test run against the rebuilt image, and open a pull request against affected workloads. For high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. Customers who manage remediation manually will find the patched rebuild available in their HarborGuard dashboard, tagged at V6_0_0_7, ready to promote through their standard change-control process.

See how HarborGuard automates this

Fix available

V6_0_0_7
Affected packages
  • MBS / Single-A
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A Profibus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Single-X
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X CAN
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X PROFINET
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References