CVE-2026-22899

N/A

A NULL pointer dereference vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service...

Affects 0 products across 1 vendor.

CVSS v45.3
EPSS0.3%
Percentile20th
PatchUnknown
CWE Weakness Definitions
CWE-476: NULL Pointer Dereference

Software attempts to use a NULL pointer, causing a crash and denial of service.

◆ SAGE Intelligence — CITED Relevance Research Team

CVE-2026-22899 affects QNAP File Station 6, a web-based file management application commonly used on NAS devices. An authenticated remote attacker can exploit a NULL pointer dereference to crash the File Station service, resulting in a denial-of-service condition. In OT environments where QNAP NAS devices are used for data historians, backup, or file transfer between IT/OT segments, this could disrupt operational data availability and logging continuity.

Is this CVE in your environment?

BreachSpider monitors your ICS/OT environment for vulnerabilities like this one. No agents or network access required. Free to start.

Check My Environment →
Frequently Asked Questions
What is CVE-2026-22899?
CVE-2026-22899 affects QNAP File Station 6, a web-based file management application commonly used on NAS devices. An authenticated remote attacker can exploit a NULL pointer dereference to crash the File Station service, resulting in a denial-of-service condition. In OT environments where QNAP NAS devices are used for data historians, backup, or file transfer between IT/OT segments, this could disrupt operational data availability and logging continuity.
Is CVE-2026-22899 actively exploited?
No confirmed active exploitation of CVE-2026-22899 as of 2026-06-24.
How do I remediate CVE-2026-22899?
Update to File Station 5 5.5.6.5208 or later. Resolves a NULL pointer dereference in File Station 6 that could be exploited by authenticated remote attackers to cause a denial-of-service condition. The fix is delivered in File Station 5 version 5.5.6.5208 and later; customers running File Station 6 should monitor for a corresponding update. Advisory: https://www.qnap.com/en/security-advisory/qsa-2026-22899
What systems are affected by CVE-2026-22899?
CVE-2026-22899 affects: Qnap.
Vulnerability Details
CVE IDCVE-2026-22899
Published2026-06-10
Last Modified2026-06-10
ICS Relevance55%
Weakness (CWE)
SourceNVD
Official Description

A NULL pointer dereference vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5208 and later

Source: NIST NVD / MITRE CVE Database

Affected Products
VendorProductFixed Version
Qnap —
Remediation

Fixed Version: File Station 5 5.5.6.5208

Resolves a NULL pointer dereference in File Station 6 that could be exploited by authenticated remote attackers to cause a denial-of-service condition. The fix is delivered in File Station 5 version 5.5.6.5208 and later; customers running File Station 6 should monitor for a corresponding update.

View Vendor Advisory →
Threat Intelligence
● Threat Intelligence Validated: July 2026 | Threat Age: 32 Days
CISA KEVNot in KEV catalog
Public ExploitNot confirmed
PoC CodeNot confirmed
● Virtual Patch — CITED Relevance SAGE Engine LOW CONFIDENCE

Deploy rules at perimeter and internal DMZ firewalls blocking access to QNAP NAS HTTP/HTTPS management ports (80, 443, 8080) from all sources except explicitly authorized management workstations. Enforce authenticated session rate-limiting on the NAS device itself if configurable. Monitor for repeated authenticated POST requests to File Station API endpoints as a DoS indicator.

No reliable network detection signature exists for this vulnerability class — apply the compensating controls above and the vendor patch. SAGE only publishes a network rule when a concrete on-the-wire signature can be grounded in the advisory.

Virtual patch generated by CITED Relevance SAGE. Validate in isolated environment before production deployment. Compensating control only - does not replace vendor patch.

Related CVEs affecting Qnap
CVE-2017-7876 10.0 This command injection vulnerability in QTS allows attackers to run arbitrary... CVE-2024-32766 10.0 An OS command injection vulnerability has been reported to affect several QNA... CVE-2024-32764 9.9 A missing authentication for critical function vulnerability has been reporte... CVE-2017-17033 9.8 A buffer overflow vulnerability in password function in QNAP QTS version 4.2.... CVE-2017-17028 9.8 A buffer overflow vulnerability in external device function in QNAP QTS versi...
View all Qnap CVEs →

ICS/OT Vulnerability Intelligence for Your Environment

BreachSpider monitors 353,228 CVEs across ICS/OT vendors. SAGE-enriched alerts with virtual patches, NERC-CIP mapping, and PSIRT contacts delivered to your SIEM in minutes.

Join free →