CVE-2026-26240
A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the v...
Affects 0 products across 1 vendor.
Buffer overflow corrupting the program stack, typically overwriting the return address for code execution.
QNAP File Station 5, a web-based file management application commonly deployed on NAS devices in industrial and enterprise environments, contains a buffer overflow vulnerability exploitable by remote attackers. An attacker can leverage this flaw to corrupt memory or crash running processes, potentially leading to denial of service or arbitrary code execution. In OT environments where QNAP NAS devices are used for data historians, file transfers, or engineering backups, successful exploitation could disrupt operations or provide a pivot point into sensitive network segments.
Is this CVE in your environment?
BreachSpider monitors your ICS/OT environment for vulnerabilities like this one. No agents or network access required. Free to start.
Check My Environment →What is CVE-2026-26240?
Is CVE-2026-26240 actively exploited?
How do I remediate CVE-2026-26240?
What systems are affected by CVE-2026-26240?
| CVE ID | CVE-2026-26240 |
|---|---|
| Published | 2026-06-10 |
| Last Modified | 2026-06-10 |
| ICS Relevance | 70% |
| Weakness (CWE) | |
| Source | NVD |
A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later
Source: NIST NVD / MITRE CVE Database
| Vendor | Product | Fixed Version |
|---|---|---|
| Qnap | — | — |
Fixed Version: File Station 5 5.5.6.5243
Resolves a remotely exploitable buffer overflow in File Station 5 that allowed unauthenticated or authenticated remote attackers to corrupt process memory or crash the File Station service. Upgrade to version 5.5.6.5243 or later to remediate.
View Vendor Advisory →| CISA KEV | Not in KEV catalog |
|---|---|
| Public Exploit | Not confirmed |
| PoC Code | Not confirmed |
Deploy IDS/IPS sensors at the network boundary between untrusted networks and the NAS device. Block all inbound HTTP/HTTPS requests to QNAP File Station management ports (default 8080, 8081, 443) from any source outside designated administrator subnets. Implement web application firewall rules to reject oversized POST request bodies targeting /filestation/ URI paths. Deploy controls at perimeter firewall and any internal segment boundary protecting OT historian or file server VLANs.
No reliable network detection signature exists for this vulnerability class — apply the compensating controls above and the vendor patch. SAGE only publishes a network rule when a concrete on-the-wire signature can be grounded in the advisory.
Virtual patch generated by CITED Relevance SAGE. Validate in isolated environment before production deployment. Compensating control only - does not replace vendor patch.
ICS/OT Vulnerability Intelligence for Your Environment
BreachSpider monitors 353,228 CVEs across ICS/OT vendors. SAGE-enriched alerts with virtual patches, NERC-CIP mapping, and PSIRT contacts delivered to your SIEM in minutes.
Join free →