PatchSiren cyber security CVE debrief
CVE-2026-1951 Deltaww CVE debrief
CVE-2026-1951 is a critical Delta Electronics AS320T firmware flaw tied to missing length checks for a directory-name buffer. NVD assigns it CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating a remotely reachable issue with no privileges or user interaction required. NVD’s affected CPE range marks AS320T firmware versions earlier than 1.12 as vulnerable. The vendor advisory linked in NVD covers this issue alongside related AS320T vulnerabilities.
- Vendor
- Deltaww
- Product
- CVE-2026-1951
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-24
- Original CVE updated
- 2026-05-11
- Advisory published
- 2026-04-24
- Advisory updated
- 2026-05-11
Who should care
Organizations operating Delta Electronics AS320T devices, especially teams responsible for OT/industrial network security, firmware management, and asset inventory. Exposure is most important where AS320T units are reachable from untrusted networks or are difficult to monitor and patch.
Technical summary
The published description states that Delta Electronics AS320T has no checking of the length of the buffer with the directory name, which aligns with a buffer overflow weakness. NVD maps the issue to CWE-121 (stack-based buffer overflow) and lists a network attack vector with low complexity, no privileges, and no user interaction. The vulnerability affects AS320T firmware versions before 1.12 according to the NVD CPE criteria.
Defensive priority
Immediate. The combination of unauthenticated remote attack potential and high confidentiality, integrity, and availability impact makes this a top-priority firmware issue to inventory, verify, and remediate.
Recommended defensive actions
- Inventory all Delta Electronics AS320T deployments and confirm firmware versions.
- Treat firmware versions earlier than 1.12 as vulnerable based on the NVD CPE range.
- Apply the vendor’s corrective firmware or mitigation guidance from the linked advisory as soon as validated in your environment.
- Reduce exposure by restricting network access to AS320T devices to trusted management paths only.
- Monitor for unusual device behavior, crashes, or unexpected service disruption until remediation is complete.
- Update asset records and patch status so affected systems are not missed in future maintenance cycles.
Evidence notes
All statements are derived from the supplied CVE/NVD record and the linked Delta vendor advisory reference. The CVSS vector, CWE-121 mapping, and affected firmware range come from NVD metadata. The published date used here is the CVE publishedAt timestamp provided in the corpus (2026-04-24T07:16:09.520Z). No exploit details or unsupported impact claims are included.
Official resources
-
CVE-2026-1951 CVE record
CVE.org
-
CVE-2026-1951 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
759f5e80-c8e1-4224-bead-956d7b33c98b - Vendor Advisory
Publicly disclosed on 2026-04-24 per the supplied CVE published timestamp. The record was modified on 2026-05-11. This debrief uses those supplied dates and does not infer any earlier issue date.