CVE-2026-22904

9.8 CRITICAL

Published 2026-02-09 · Modified 2026-02-09 · Awaiting Analysis

Quick Summary

A critical flaw in how a system processes web cookies allows an attacker to crash the system or potentially take control of it by sending a specially crafted, oversized cookie.

Who is affected

Any unauthenticated user on the network can exploit this to cause a denial-of-service or execute arbitrary code on vulnerable systems, affecting availability and security.

Recommended fix

Apply the vendor's security patch immediately. If a patch is not available, implement a web application firewall (WAF) rule to reject requests with abnormally long cookie values as a temporary mitigation.

Technical Description

Improper length handling when parsing multiple cookie fields (including TRACKID) allows an unauthenticated remote attacker to send oversized cookie values and trigger a stack buffer overflow, resulting in a denial‑of‑service condition and possible remote code execution.

CVSS Details

Attack Vector

NETWORK

Complexity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-121

References

https://certvde.com/de/advisories/VDE-2026-004