{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27664", "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "state": "PUBLISHED", "assignerShortName": "siemens", "dateReserved": "2026-02-23T10:07:00.531Z", "datePublished": "2026-03-26T14:03:21.993Z", "dateUpdated": "2026-03-26T18:24:41.814Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens", "dateUpdated": "2026-03-26T14:03:21.993Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.10), SICORE Base system (All versions < V26.10.0). The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated attacker to exploit this issue by sending a malicious XML request, which may cause the service to crash, resulting in a denial-of-service condition."}], "affected": [{"vendor": "Siemens", "product": "CPCI85 Central Processing/Communication", "versions": [{"status": "affected", "version": "0", "lessThan": "V26.10", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "SICORE Base system", "versions": [{"status": "affected", "version": "0", "lessThan": "V26.10.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}, {"cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "baseScore": 8.7, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-246443.html"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T17:50:28.782194Z", "id": "CVE-2026-27664", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:24:41.814Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27664", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T17:50:28.782194Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T17:54:51.045Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}, {"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}], "affected": [{"vendor": "Siemens", "product": "CPCI85 Central Processing/Communication", "versions": [{"status": "affected", "version": "0", "lessThan": "V26.10", "versionType": "custom"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "SICORE Base system", "versions": [{"status": "affected", "version": "0", "lessThan": "V26.10.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://cert-portal.siemens.com/productcert/html/ssa-246443.html"}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.10), SICORE Base system (All versions < V26.10.0). The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated attacker to exploit this issue by sending a malicious XML request, which may cause the service to crash, resulting in a denial-of-service condition."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens", "dateUpdated": "2026-03-26T14:03:21.993Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27664", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:24:41.814Z", "dateReserved": "2026-02-23T10:07:00.531Z", "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "datePublished": "2026-03-26T14:03:21.993Z", "assignerShortName": "siemens"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.10), SICORE Base system (All versions < V26.10.0). The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated attacker to exploit this issue by sending a malicious XML request, which may cause the service to crash, resulting in a denial-of-service condition."}], "id": "CVE-2026-27664", "lastModified": "2026-03-26T15:16:34.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "productcert@siemens.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "productcert@siemens.com", "type": "Secondary"}]}, "published": "2026-03-26T15:16:34.340", "references": [{"source": "productcert@siemens.com", "url": "https://cert-portal.siemens.com/productcert/html/ssa-246443.html"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "productcert@siemens.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,V26.10)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "matching", "scores": [{"score": 99.0, "source": "matching"}]}, "original": {"product": "CPCI85 Central Processing/Communication", "source": "cna", "vendor": "Siemens"}, "product": "cpci85_central_processing\\/communication", "vendor": "siemens"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,V26.10.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SICORE Base system", "source": "cna", "vendor": "Siemens"}, "product": "sicore_base_system", "vendor": "siemens"}], "analysis": {"en": {"generated_at": "2026-03-26T15:27:54.719614+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware or software upgrade that includes version V26.10 or later for both CPCI85 and SICORE Base system.", "If an update cannot be applied immediately, isolate the affected devices by placing them behind a firewall or VLAN and block any XML traffic from unauthenticated sources.", "Deploy monitoring on the service to detect repeated crash events and alert administrators.", "Validate that the XML parser accepts only well\u2011formed documents and consider implementing a strict schema or white\u2011list approach.", "Verify the patch by reproducing a test XML send and confirming the service remains stable."], "summary": {"action": "Patch", "impact": "Denial of Service via crash from out\u2011of\u2011bounds write"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Siemens CPCI85 Central Processing/Communication model versions earlier than V26.10 and all Siemens SICORE Base system releases earlier than V26.10.0. Neither product requires user authentication to interact with the service that processes XML, so any entity able to reach the system can send the malicious payload.", "description_and_impact": "An out\u2011of\u2011bounds write occurs when the affected Siemens CPCI85 Central Processing/Communication and SICORE Base system parse specially crafted XML. The vendor data indicates that the write can corrupt memory and crash the service, which results in a denial\u2011of\u2011service condition. This weakness is classified as CWE\u2011787, meaning an unchecked buffer overwrite that can abort normal execution.", "risk_and_exploitability": "The CVSS score of 8.7 marks this issue as high severity. Although EPSS data is unavailable and the vulnerability has not been listed in the CISA KEV catalog, the attack vector is inferred to be unauthenticated over the network, allowing remote exploitation. No public exploits are known, but the out\u2011of\u2011bounds write may affect service availability whenever the malformed XML is processed, making the exposure significant for operational continuity."}}}}, "created": "2026-03-27T08:34:10.386432+00:00", "title": "Out\u2011of\u2011Bounds Write in XML Parsing Causing Denial of Service", "updated": "2026-03-27T09:26:37.656218+00:00", "vendors": ["siemens", "siemens$PRODUCT$cpci85_central_processing\\/communication", "siemens$PRODUCT$sicore_base_system"]}