HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35085Published Modified CNA CERTVDE

CVE-2026-35085: Stack buffer overflow in method gdv-serverconfig

A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
V6_0_0_7
Affected Products
18

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in the gdv-serverconfig method across multiple MBS device variants (Single-A, Double-A Profibus, Double-A x-link, Single-X, Double-X CAN, Double-X DALI, Double-X KNX, and Double-X LON) running firmware versions from V1_0_0_0 up to but not including V6_0_0_7. The vulnerability is reachable over the network and requires only a low-privilege user account to trigger, meaning no admin credentials are needed. Successful exploitation gives the attacker full root-level control of the affected system, enabling arbitrary code execution, data access, and service disruption. A patched-image rebuild at V6_0_0_7 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images containing affected MBS firmware or software components. Any image in a connected registry or CI pipeline that carries a vulnerable version is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.7 (HIGH) using the v4.0 vector and applies each customer organization's compliance policy weighting to prioritize routing. Triage alerts are directed to the appropriate team inbox within the customer org based on configured ownership rules.

Available
Patch

A patched-image rebuild at V6_0_0_7 becomes available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the gdv-serverconfig service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed.

  • AuthenticationRequired

    A low-privilege user account is sufficient to trigger the overflow; no administrative or elevated credentials are required (PR:L).

  • Victim interactionNot required

    The attack is fully attacker-driven and requires no action from any user on the target system (UI:N).

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

  • A successful attacker gains root-level code execution on the affected device, allowing installation of arbitrary software or backdoors.
  • The attacker can read all data stored or processed on the system, including configuration secrets, credentials, and operational data.
  • The attacker can modify persisted configuration, firmware state, or application data on the device.
  • The attacker can crash or disable the affected service or the entire device, causing a loss of availability for any systems or processes that depend on it.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE is active across all connected registries and pipelines, with matching performed within minutes of the advisory publication. Where compliance policy permits, a patched rebuild at V6_0_0_7 is queued automatically for any image found running an affected MBS firmware version (V1_0_0_0 through V6_0_0_6). For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Given the HIGH severity and the root-level impact of exploitation, teams that do not yet have auto-remediation enabled are encouraged to prioritize manual upgrade to V6_0_0_7 and to consider network-policy controls that restrict access to the gdv-serverconfig service to trusted principals only.

See how HarborGuard automates this

Fix available

V6_0_0_7
Affected packages
  • MBS / Single-A
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A Profibus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Single-X
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X CAN
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X PROFINET
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References