Critical severity9.9NVD Advisory· Published Apr 20, 2026· Updated Apr 22, 2026

CVE-2026-6643

Description

A stack-based buffer overflow vulnerability was found in the VPN Clients on the ADM. The issue stems from the use of unbounded sscanf() and passing user-controlled data directly to printf(). Due to the lack of PIE and Stack Canary protections, an authenticated remote attacker can exploit these to execute arbitrary code as the web server user. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.RR42 as well as from ADM 5.0.0 through ADM 5.1.2.REO1.

Affected products

Asustor/Data Master
cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*
Range: >=4.1.0.rhu2,<4.3.3.RR42

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.asustor.com/security/security_advisory_detailnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.643
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000