CVE-2026-24716
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerabi...
Affects 0 products across 1 vendor.
Software attempts to use a NULL pointer, causing a crash and denial of service.
CVE-2026-24716 affects multiple QNAP operating system versions (QTS and QuTS hero), allowing a remote attacker who has already obtained administrator-level access to trigger a NULL pointer dereference, resulting in a denial-of-service condition. In OT environments, QNAP NAS devices are commonly used for historian data storage, backup of engineering configurations, and file sharing between IT and OT network segments, making availability impact particularly significant. While the attack requires prior administrative compromise, a DoS against a QNAP device in an OT context could disrupt data logging, recipe/configuration backups, or segment-critical file services.
Is this CVE in your environment?
BreachSpider monitors your ICS/OT environment for vulnerabilities like this one. No agents or network access required. Free to start.
Check My Environment →What is CVE-2026-24716?
Is CVE-2026-24716 actively exploited?
How do I remediate CVE-2026-24716?
What systems are affected by CVE-2026-24716?
| CVE ID | CVE-2026-24716 |
|---|---|
| Published | 2026-06-10 |
| Last Modified | 2026-06-10 |
| ICS Relevance | 55% |
| Weakness (CWE) | |
| Source | NVD |
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later
Source: NIST NVD / MITRE CVE Database
| Vendor | Product | Fixed Version |
|---|---|---|
| Qnap | — | — |
Fixed Version: QTS 5.2.9.3492 build 20260507; QuTS hero h5.2.9.3499 build 20260514; QuTS hero h5.3.4.3500 build 20260520; QuTS hero h6.0.0.3459 build 20260409
Patches add null pointer validation guards in affected QNAP OS code paths to prevent a NULL dereference triggered by an authenticated administrator, eliminating the denial-of-service condition across QTS 5.x and QuTS hero h5.x/h6.x branches.
View Vendor Advisory →| CISA KEV | Not in KEV catalog |
|---|---|
| Public Exploit | Not confirmed |
| PoC Code | Not confirmed |
Deploy rules at the OT DMZ firewall or network IDS sensor positioned between IT/corporate networks and the OT segment. Block all inbound connections to QNAP management ports (80, 443, 8080) from any source other than explicitly authorized management IP addresses. Additionally, alert on high-frequency POST requests to QNAP CGI endpoints from authenticated sessions as an indicator of abuse. Restrict admin-level QNAP API calls to the dedicated management VLAN only.
No reliable network detection signature exists for this vulnerability class — apply the compensating controls above and the vendor patch. SAGE only publishes a network rule when a concrete on-the-wire signature can be grounded in the advisory.
Virtual patch generated by CITED Relevance SAGE. Validate in isolated environment before production deployment. Compensating control only - does not replace vendor patch.
ICS/OT Vulnerability Intelligence for Your Environment
BreachSpider monitors 353,228 CVEs across ICS/OT vendors. SAGE-enriched alerts with virtual patches, NERC-CIP mapping, and PSIRT contacts delivered to your SIEM in minutes.
Join free →