CVE-2019-5184
Description
An exploitable double free vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. A specially crafted XML cache file written to a specific location on the device can cause a heap pointer to be freed twice, resulting in a denial of service and potentially code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A double-free vulnerability in WAGO PFC200's iocheckd service allows denial of service or potential code execution via a crafted XML cache file.
Vulnerability
A double-free vulnerability exists in the iocheckd service's I/O-Check functionality of WAGO PFC200 controllers running firmware version 03.02.02(14) [1]. The service parses a file-backed cache stored at /tmp/iocheckCache.xml, which is globally writable. During parsing, the heap buffer used to store values for each gateway XML element is freed once per element; a specially crafted cache file containing multiple gateway elements causes the same heap pointer to be freed multiple times, resulting in a double-free condition [1].
Exploitation
An attacker must write a crafted XML cache file to /tmp/iocheckCache.xml, which is globally writable, and then trigger the iocheckd service to parse that file by sending a specially crafted packet [1]. This requires local access or the ability to write to the device's filesystem; low privileges are sufficient to write the cache file. The attacker does not need authentication for the subsequent packet trigger, but the attack complexity is high due to the need to craft the payload and time the write appropriately [1].
Impact
Successful exploitation causes the iocheckd service to crash, leading to a denial of service for various iocheckd messages (e.g., BC_FactoryRestore) that will respond with errors instead of performing their intended functions [1]. Depending on the memory allocator used, the double-free condition may be leveraged for arbitrary code execution, potentially compromising the entire controller [1].
Mitigation
WAGO has not released a patched firmware version in the available references [1]. Users should monitor the vendor advisory for updates. As a workaround, restrict write access to /tmp/iocheckCache.xml or use filesystem permissions to prevent unauthorized modification of the cache file [1]. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WAGO/PFC 200description
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The iocheckd service frees the same heap pointer for gateway entries multiple times — once per `"
Attack vector
An attacker with any level of access can write a specially crafted XML file to `/tmp/iocheckCache.xml`, which is globally writable [ref_id=1]. The file contains multiple `
Affected code
The vulnerable code resides in the iocheckd service's parsing of the XML cache file `/tmp/iocheckCache.xml`. The disassembly shows that when a `
What the fix does
No patch is provided in the bundle. The advisory recommends two mitigations: disabling the iocheckd "I/O-Check" service via the Web-based management application, or disabling iocheckd caching by sending an `RC_WriteRegister` message on port 6626 [ref_id=1]. A Python script is supplied to perform the caching disable. To fully restore normal functionality after exploitation, the device must be rebooted or the root user must delete `/dev/shm/wago_IO_Check` [ref_id=1].
Preconditions
- inputAttacker must be able to write a file to /tmp/iocheckCache.xml (globally writable)
- inputAttacker must trigger the BC_SaveParameter message to cause parsing of the cache file
- networkAttacker must have network access to the device to send the triggering packet
Reproduction
1. Write the following malicious XML to `/tmp/iocheckCache.xml` on the device: ```xml <?xml version="1.0" encoding="UTF-8"?> <settings> <network> <gateway>192.168.1.1</gateway> <gateway>192.168.1.2</gateway> </network> </settings> ``` 2. Send a `BC_SaveParameter` message to the iocheckd service to trigger parsing of the cache file [ref_id=1]. The iocheckd process will crash with a double-free error, as shown in the strace output ("double free or corruption (fasttop)") [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2019-0965mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.