Remote TCP Connection Exhaustion Vulnerability in CODESYS Modbus TCP Server
CVE-2026-35227

8.2HIGH

Key Information:

Vendor: Codesys
Status: Codesys Modbus
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-35227?

An unauthenticated remote attacker can exploit a race condition in the connection handling of the CODESYS Modbus TCP Server stack. This vulnerability allows the attacker to exhaust all available TCP connections, preventing legitimate clients from creating new connections. The potential for disruption makes it critical for users to address this issue promptly.

Affected Version(s)

CODESYS Modbus 1.0.0.0 < 4.6.0.0

References

https://certvde.com/de/advisories/VDE-2026-042

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 1, 2026

Credit

ABB Schweiz AG

CVE-2026-35227 Data

JSON

Codesys

What is CVE-2026-35227?

Affected Version(s)

References

CVSS V4

Timeline

Credit