CVE-2026-36501: An issue in the Externalizable
An issue in the Externalizable.readExternal() component of Controller v12.0.5 allows attackers to cause a Denial of Service (DoS) via a crafted input.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a denial-of-service vulnerability in the Externalizable.readExternal() component of Controller v12.0.5. It is reachable over the network with no authentication required, and an attacker exploits it by sending a crafted input to the affected component. Successful exploitation crashes or hangs the service, rendering it unavailable. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.
HarborGuard Coverage
Detection for CVE-2026-36501 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that bundle the affected Controller component, not only images pulled from public registries.
AvailableTriage is available with CVSS v3.1 scoring applied at a 7.5 HIGH severity, weighted against each customer organization's compliance policy to determine urgency and escalation path. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, customers with auto-remediation enabled will receive an alert and can apply compensating controls through policy-driven network isolation for the affected workloads.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable component is exposed over the network, so an attacker must be able to send crafted input to it across the internet or an internal network segment.
- AuthenticationNot required
No credentials or session token of any kind are needed to reach the vulnerable code path.
- Victim interactionNot required
The attacker does not need any user or operator to take an action; sending the crafted input alone is sufficient to trigger the vulnerability.
- Attack complexityDetail
Exploitation is reliable and condition-free, requiring no race conditions, memory-layout knowledge, or environmental setup beyond network access.
Blast Radius
- The affected service becomes unresponsive or terminates, interrupting all operations that depend on the Controller component.
- Downstream services or clients that rely on the Controller for coordination or data flow lose connectivity for the duration of the outage.
- Repeated triggering of the vulnerability can prevent the service from recovering, turning a momentary crash into a sustained outage.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-36501 is active across all customer environments, matching the affected Controller component in scanned images as soon as the CVE was ingested from upstream feeds. Because no upstream fix exists at this time, HarborGuard does not yet offer a patched-image rebuild; instead, the advisory is re-evaluated on every ingest cycle and a rebuild will become available automatically once a fix version is published. While no patch is available, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict inbound access to the Controller service, egress filtering to limit lateral movement if the service is compromised, and workload-level quarantine flags for high-risk environments. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered without manual intervention the moment an upstream fix is confirmed.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H