CVE-2026-3509 PUBLISHED

CODESYS Control Audit Log Format String DoS

Assigner: CERTVDE
Reserved: 04.03.2026 Published: 24.03.2026 Updated: 24.03.2026

An unauthenticated remote attacker may be able to control the format string of messages processed by the Audit Log of the CODESYS Control runtime system, potentially resulting in a denial‑of‑service (DoS) condition.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	CODESYS
Product	CODESYS Control RTE (SL)
Versions	Default: unaffected affected from 3.5.17.0 to 3.5.22.0 (excl.)

Vendor	CODESYS
Product	CODESYS Control RTE (for Beckhoff CX) SL
Versions	Default: unaffected affected from 3.5.17.0 to 3.5.22.0 (excl.)

Vendor	CODESYS
Product	CODESYS Control Win (SL)
Versions	Default: unaffected affected from 3.5.17.0 to 3.5.22.0 (excl.)

Vendor	CODESYS
Product	CODESYS Runtime Toolkit
Versions	Default: unaffected affected from 3.5.17.0 to 3.5.22.0 (excl.)

Vendor	CODESYS
Product	CODESYS Control for BeagleBone SL
Versions	Default: unaffected affected from 4.1.0.0 to 4.21.0.0 (excl.)

Vendor	CODESYS
Product	CODESYS Control for emPC-A/iMX6 SL
Versions	Default: unaffected affected from 4.1.0.0 to 4.21.0.0 (excl.)

Vendor	CODESYS
Product	CODESYS Control for IOT2000 SL
Versions	Default: unaffected affected from 4.1.0.0 to 4.21.0.0 (excl.)

Vendor	CODESYS
Product	CODESYS Control for Linux ARM SL
Versions	Default: unaffected affected from 4.1.0.0 to 4.21.0.0 (excl.)

Vendor	CODESYS
Product	CODESYS Control for Linux SL
Versions	Default: unaffected affected from 4.1.0.0 to 4.21.0.0 (excl.)

Vendor	CODESYS
Product	CODESYS Control for PFC100 SL
Versions	Default: unaffected affected from 4.1.0.0 to 4.21.0.0 (excl.)

Vendor	CODESYS
Product	CODESYS Control for PFC200 SL
Versions	Default: unaffected affected from 4.1.0.0 to 4.21.0.0 (excl.)

Vendor	CODESYS
Product	CODESYS Control for PLCnext SL
Versions	Default: unaffected affected from 4.1.0.0 to 4.21.0.0 (excl.)

Vendor	CODESYS
Product	CODESYS Control for Raspberry Pi SL
Versions	Default: unaffected affected from 4.1.0.0 to 4.21.0.0 (excl.)

Vendor	CODESYS
Product	CODESYS Control for WAGO Touch Panels 600 SL
Versions	Default: unaffected affected from 4.1.0.0 to 4.21.0.0 (excl.)

Vendor	CODESYS
Product	CODESYS Virtual Control SL
Versions	Default: unaffected affected from 4.1.0.0 to 4.21.0.0 (excl.)

References

https://certvde.com/de/advisories/VDE-2026-018

Problem Types

CWE-134 Use of Externally-Controlled Format String CWE