8.8

CVE-2024-27127

A double free vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute arbitrary code via a network.

We have already fixed the vulnerability in the following version:
QTS 5.1.7.2770 build 20240520 and later
QuTS hero h5.1.7.2770 build 20240520 and later

Data is provided by the National Vulnerability Database (NVD)
QnapQts Version5.1.0.2348 Updatebuild_20230325
QnapQts Version5.1.0.2399 Updatebuild_20230515
QnapQts Version5.1.0.2418 Updatebuild_20230603
QnapQts Version5.1.0.2444 Updatebuild_20230629
QnapQts Version5.1.0.2466 Updatebuild_20230721
QnapQts Version5.1.1.2491 Updatebuild_20230815
QnapQts Version5.1.2.2533 Updatebuild_20230926
QnapQts Version5.1.3.2578 Updatebuild_20231110
QnapQts Version5.1.4.2596 Updatebuild_20231128
QnapQts Version5.1.5.2645 Updatebuild_20240116
QnapQts Version5.1.5.2679 Updatebuild_20240219
QnapQts Version5.1.6.2722 Updatebuild_20240402
QnapQuts Hero Versionh5.1.0.2409 Updatebuild_20230525
QnapQuts Hero Versionh5.1.0.2424 Updatebuild_20230609
QnapQuts Hero Versionh5.1.0.2453 Updatebuild_20230708
QnapQuts Hero Versionh5.1.0.2466 Updatebuild_20230721
QnapQuts Hero Versionh5.1.1.2488 Updatebuild_20230812
QnapQuts Hero Versionh5.1.2.2534 Updatebuild_20230927
QnapQuts Hero Versionh5.1.3.2578 Updatebuild_20231110
QnapQuts Hero Versionh5.1.4.2596 Updatebuild_20231128
QnapQuts Hero Versionh5.1.5.2647 Updatebuild_20240118
QnapQuts Hero Versionh5.1.5.2680 Updatebuild_20240220
QnapQuts Hero Versionh5.1.6.2734 Updatebuild_20240414
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.36% 0.576
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@qnapsecurity.com.tw 7.2 3.9 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
CWE-415 Double Free

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.