Dell: Three Vulnerabilities Disclosed Across BSAFE SSL-J and ThinOS
Dell disclosed three vulnerabilities affecting BSAFE SSL-J and ThinOS, with severities ranging from Medium to High, over a two-day period.
Key findings
- Three vulnerabilities disclosed by Dell between June 2-4, 2026.
- CVE-2025-46638 in BSAFE SSL-J allows DoS for unauthenticated remote attackers.
- ThinOS versions prior to 2602_10.0765 affected by two flaws.
- CVE-2026-40715 in ThinOS allows privilege escalation via local access.
- CVE-2026-40713 in ThinOS allows information exposure with physical access.
Dell has recently disclosed a cluster of three vulnerabilities impacting its BSAFE SSL-J component and ThinOS operating system. The disclosures, spanning from June 2nd to June 4th, 2026, include a Denial of Service flaw in BSAFE SSL-J and two separate vulnerabilities in ThinOS, one leading to privilege escalation and another to information exposure.
The BSAFE SSL-J component is affected by CVE-2025-46638, a High severity vulnerability rated at CVSSv3 7.5. This flaw is an allocation of resources without limits or throttling, which an unauthenticated remote attacker could exploit to cause a Denial of Service (DoS). This particular vulnerability highlights potential risks in how the SSL-J library handles resource allocation under duress.
In parallel, Dell's ThinOS, specifically versions prior to ThinOS10 2602_10.0765, is impacted by two distinct vulnerabilities. CVE-2026-40715, a High severity issue (CVSSv3 7.8), is an Improper Access Control vulnerability. A low-privileged attacker with local access could leverage this to achieve privilege escalation on the affected ThinOS devices. This could allow an attacker to gain elevated permissions and potentially access sensitive system functions.
Another vulnerability affecting the same ThinOS versions is CVE-2026-40713, classified as Medium severity with a CVSSv3 score of 6.1. This Improper Access Control vulnerability, exploitable by an unauthenticated attacker with physical access, could lead to information exposure. The nature of this flaw suggests that physical access to a device running an unpatched ThinOS version could expose sensitive data.
Dell has provided patches for these vulnerabilities. Users of BSAFE SSL-J and ThinOS are strongly advised to consult Dell's official advisories for specific version information and apply the necessary updates to mitigate these risks. The timely patching of these issues is crucial to prevent potential service disruptions and unauthorized access to sensitive information.
This batch of disclosures underscores the importance of maintaining up-to-date security configurations across Dell's product ecosystem. Users should remain vigilant and ensure all systems are running the latest patched versions to protect against known exploits.