CVE-2026-40715: Dell ThinOS 10, versions prior to ThinOS10 2602_10
Dell ThinOS 10, versions prior to ThinOS10 2602_10.0765, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Privilege Escalation.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- 2602_10.0765_T10
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An improper access control vulnerability affects Dell ThinOS 10 versions prior to 2602_10.0765_T10. The flaw is exploitable locally by any low-privileged user already on the system, requiring no network access and no victim interaction. Successful exploitation allows the attacker to escalate privileges, gaining full read, write, and availability control over the affected system. A patched-image rebuild at version 2602_10.0765_T10 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-40715 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that layer on Dell ThinOS 10 base images.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.8 HIGH and weighting it against each environment's compliance policy to prioritize alert routing. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at version 2602_10.0765_T10 becomes available on HarborGuard once the upstream fix is confirmed, so customers can pull a remediated base image without manual intervention. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative credentials.
- Victim interactionNot required
No user interaction is needed; the attacker can execute the exploit entirely on their own without involving another user.
- Attack complexityDetail
Exploit complexity is low, meaning the attack is reliable and requires no special race conditions or environmental prerequisites.
Blast Radius
- A successful attacker escalates from a low-privilege user account to a higher-privilege or system-level context on the affected ThinOS host.
- Elevated privileges allow the attacker to read sensitive files, credentials, and configuration data stored on the device.
- Write access gained through privilege escalation lets the attacker modify system configuration, install malicious software, or alter persisted data.
- The attacker can disrupt or terminate system processes and services, causing the affected ThinOS endpoint to become unavailable.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-40715 is active against customer images as soon as the CVE appears in upstream feeds, covering both standard and custom-built images derived from Dell ThinOS 10. For environments running a version prior to 2602_10.0765_T10, a rebuilt image at the fix version is available for pull once upstream confirmation is complete. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, security teams receive a routed alert with CVSS scoring and fix-version details so they can act manually on their own schedule.
Fix available
- Dell / ThinOS 10< 2602_10.0765_T10 (from 0)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H