CVE-2026-3509

CVSS v3.1

7.5

High

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial‑of‑service (DoS) condition.

Fix

Use of Externally-Controlled Format String

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-134

Related Identifiers

CVE-2026-3509

Affected Products

Codesys Control Rte

Codesys Control Rte (For Beckhoff Cx) Sl

Codesys Control Win

Codesys Control For Beaglebone

Codesys Control For Iot2000

Codesys Control For Linux Arm Sl

Codesys Control For Linux

Codesys Control For Pfc100

Codesys Control For Pfc200

Codesys Control For Plcnext

Codesys Control For Raspberry Pi

Codesys Control For Wago Touch Panels 600 Sl

Codesys Control For Empc-A/Imx6

Codesys Runtime Toolkit

Codesys Virtual Control Sl

CVE-2026-3509

Weakness Enumeration

Related Identifiers

Affected Products

References · 2