PatchSiren cyber security CVE debrief
CVE-2022-27458 Festo Didactic SE CVE debrief
CVE-2022-27458 is a high-severity memory-safety issue tracked in the supplied CISA/CSAF advisory for Festo Didactic SE MES PC. The source describes a use-after-free in Binary_string::free_buffer() at /sql/sql_string.h and assigns a CVSS 3.1 base score of 7.5. The recommended mitigation in the advisory corpus is to use Factory Control Panel, which Festo states includes fixes for the affected vulnerabilities.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Operators and administrators of Festo Didactic MES PC deployments, especially environments that still rely on the vulnerable XAMPP-based component set referenced in the advisory. Security teams supporting industrial/OT-adjacent training or control environments should prioritize validation and replacement planning.
Technical summary
The supplied advisory corpus associates CVE-2022-27458 with a use-after-free condition in Binary_string::free_buffer() (/sql/sql_string.h). The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a remotely reachable issue with no required privileges or user interaction and primary impact to availability. The advisory metadata also points to CWE-416 (Use After Free).
Defensive priority
High. The issue is network-reachable and rated 7.5/High in the source, with availability impact and no listed privilege or user-interaction barriers. In the advisory corpus, Festo’s stated replacement path is the current Factory Control Panel release.
Recommended defensive actions
- Confirm whether any MES PC systems are using the affected software stack described in the advisory.
- Obtain the current Factory Control Panel release from Festo technical support as directed in the advisory and plan migration from the vulnerable component set.
- If immediate replacement is not possible, restrict network exposure to the affected system and monitor for abnormal service crashes or stability issues.
- Track the advisory references and vendor notices for any additional remediation guidance or updates.
- Validate any deployed compensating controls against the published CVSS vector and the system's actual exposure.
Evidence notes
Source corpus links this CVE to the CISA CSAF republication of Festo Didactic SE MES PC advisory ICSA-26-027-02, with the description 'MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Binary_string::free_buffer() at /sql/sql_string.h.' The same source provides a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and references CWE-416. The remediation entry states that Festo Didactic released Factory Control Panel as a replacement for XAMPP on MES PCs and that the current version includes fixes for these vulnerabilities. The source item was published on 2024-02-27 and republished/revised on 2026-01-27; those dates are advisory timeline context, not separate CVE issue dates.
Official resources
-
CVE-2022-27458 CVE record
CVE.org
-
CVE-2022-27458 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
The supplied source is a government advisory republication (CISA CSAF) of a Festo Didactic SE advisory. The advisory timeline shows an initial publication on 2024-02-27 and a later republication/revision on 2026-01-27. The remediation entry