Stack-based Buffer Overflow in Asustor VPN Clients
CVE-2026-6643

8.6HIGH

Key Information:

Vendor: Asustor Inc.
Status: Adm
Vendor: CVE Published:; 20 April 2026

🔔 Create Asustor Inc. Vulnerability Alert

What is CVE-2026-6643?

A stack-based buffer overflow vulnerability exists in the VPN Clients on Asustor's ADM platform. This flaw results from the unbounded use of the sscanf() function and the direct incorporation of user-controlled data into printf() calls. The absence of protection mechanisms such as Position Independent Executables (PIE) and Stack Canaries allows authenticated remote attackers to exploit this vulnerability, enabling them to execute arbitrary code under the privileges of the web server user. Organizations utilizing affected versions of Asustor's VPN Clients should consider taking immediate steps to mitigate the risks linked with this vulnerability.

Affected Version(s)

ADM Linux 4.1.0 <= 4.3.3.RR42

ADM Linux 5.0.0 <= 5.1.2.REO1

References

https://www.asustor.com/security/security_advisory_detail...

vendor-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

YU-XIANG HUANG (mlgzackfly)

CVE-2026-6643 Data

JSON