Fuji Electric Tellus Driver Vulnerable to Denial-of-Service Attacks
A vulnerability in Fuji Electric's Tellus pcid64 driver allows local attackers to cause denial-of-service conditions on affected systems.

A denial-of-service (DoS) vulnerability has been identified in the pcid64 driver component of Fuji Electric's Tellus product line. The vulnerability, tracked as ZDI-26-440 and assigned CVE-2026-8108, allows local attackers with low-privileged code execution capabilities to crash affected systems.
The core of the issue lies in the pcid64 driver's handling of user-supplied input. Specifically, the driver fails to properly validate a user-supplied value before dereferencing it as a pointer. This improper validation can lead to an untrusted pointer dereference, a common programming error that can cause an application or system to crash when it attempts to access memory at an invalid or unexpected address.
Exploitation requires an attacker to first gain a foothold on the target system, enabling them to execute low-privileged code. Once this prerequisite is met, the attacker can trigger the vulnerability by interacting with the pcid64 driver in a way that forces the dereference of the untrusted pointer. The immediate impact of a successful exploit is a denial-of-service condition, rendering the affected system unavailable.
The Zero Day Initiative (ZDI), which disclosed the vulnerability, assigned it a CVSS score of 5.5, categorizing it as medium severity. While not allowing for remote code execution or data theft, the ability to cause a denial of service on industrial or critical systems can still have significant operational and financial consequences.
Fuji Electric has acknowledged the vulnerability and has released an update to address the issue. The company's advisory, along with further details, can be found via a CISA alert, ICSA-26-132-01. Users of Fuji Electric Tellus products are strongly advised to apply the available patches as soon as possible to mitigate the risk of exploitation.
The disclosure timeline indicates that the vulnerability was initially reported to the vendor on October 9, 2025. Following a coordinated disclosure process, the advisory was publicly released on July 15, 2026, with an update to the advisory also occurring on the same date. This timeline highlights the typical duration for vulnerability discovery, vendor patching, and public disclosure.
This vulnerability serves as a reminder of the ongoing security challenges within the industrial control systems (ICS) and operational technology (OT) sectors. Drivers and low-level system components, often overlooked, can harbor critical flaws that, if exploited, can disrupt essential services. Proactive patching and diligent security hygiene remain paramount for protecting these environments.
The Zero Day Initiative advisory ZDI-26-439, released on July 15, 2026, details a local privilege escalation vulnerability in Fuji Electric Tellus, assigned CVE-2026-8108. This new advisory specifies that the flaw resides within the pcid64 driver and requires an attacker to first gain low-privileged code execution on the target system to exploit it, leading to SYSTEM-level privileges. This differs from the previously reported vulnerability (ZDI-26-439) which only mentioned denial-of-service conditions.