High severity7.5NVD Advisory· Published May 26, 2026

CVE-2026-8047

Description

The affected products perform improper length checking when parsing incoming HTTP requests, resulting in a size-limited out-of-bounds write. An unauthenticated remote attacker can exploit this flaw to cause a denial of service via a system crash on the affected device.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A size-limited out-of-bounds write in CODESYS Control's web server lets an unauthenticated remote attacker crash the device.

Vulnerability

The CmpWebServer component of the CODESYS Control Runtime performs improper length checking when parsing incoming HTTP requests. This results in a size-limited out-of-bounds write in memory. The vulnerability only affects devices where the web server is active, which by default requires a running application with an enabled Web Visualization. The following product versions are affected: CODESYS Control for Raspberry Pi SL (prior to v4.8.0.0), CODESYS Control for BeagleBone SL (prior to v4.8.0.0), CODESYS Control for IOT2000 SL (prior to v4.8.0.0), CODESYS Control for Linux SL (prior to v4.8.0.0), CODESYS Control for PFC100 SL (prior to v4.8.0.0), CODESYS Control for PFC200 SL (prior to v4.8.0.0), CODESYS Control for emPC-A/I.MX6 SL (prior to v4.8.0.0), CODESYS Control RTE SL (prior to v4.8.0.0), CODESYS Control Win SL (prior to v4.8.0.0), CODESYS Control for PLCnext SL (prior to v4.8.0.0), CODESYS Control for empc-a/imx6ul sl (prior to v4.8.0.0), CODESYS Control for Linux ARM SL (prior to v4.8.0.0), and CODESYS HMI SL (prior to v4.8.0.0) [1].

Exploitation

An attacker needs no authentication and only network access to the affected device. By sending a specially crafted HTTP request to the web server, the attacker can trigger the out-of-bounds write due to the improper length check [1]. The web server must be active (i.e., a CODESYS application with Web Visualization enabled must be running) for the vulnerability to be reachable [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to cause an out-of-bounds write, which crashes the CODESYS Control Runtime system. This results in a denial of service on the affected device, disrupting industrial control operations [1].

Mitigation

The vendor has released a fix in CODESYS Control v4.8.0.0. Users are advised to update all affected products to version 4.8.0.0 or later. As a workaround, if the web server is not required, it can be disabled to prevent exploitation [1]. No known exploitation in the wild or KEV listing has been reported as of the publication date.

References

CODESYS Control - Out-of-bounds Write

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.certvde.com/en/advisories/VDE-2026-057/nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000