[CRITICAL] CVE-2026-35547 — CVSS 9.1 (April 30, 2026)

A CRITICAL-severity vulnerability identified as CVE-2026-35547 has been published on April 30, 2026 with a CVSS base score of 9.1. This security advisory provides a detailed breakdown of the vulnerability, its potential impact, weakness classification, and actionable steps to protect your systems.

Vulnerability Details

CVE ID: CVE-2026-35547
Severity: CRITICAL
CVSS Score: 9.1
Published: April 30, 2026
Weakness (CWE): CWE-122

Technical Description

When processing the header of an incoming message, libnv failed to properly validate the message size. The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges.

Potential Impact

If exploited, this critical-severity vulnerability could allow an attacker to tamper with system integrity, cause a denial of service. Organizations running affected software should treat this as a priority remediation item.

Recommended Action

No official patch is available yet. Until one is released:

1. Monitor the official NVD page and vendor channels for patch announcements.
2. Restrict access to the affected system or service where possible.
3. Apply network-level mitigations such as firewall rules or WAF policies.
4. Enable logging and alerting for anomalous activity related to this vulnerability.
5. Review your incident response plan in case of active exploitation.

View full details on NVD →

References

• Reference 1

Related Security Advisories

• [HIGH] CVE-2026-26200 — CVSS 7.8 — HIGH / CVSS 7.8
• [CRITICAL] CVE-2026-3325 — CVSS 10.0 (April 29, 2026) — CRITICAL / CVSS 10.0
• [CRITICAL] CVE-2026-5964 — CVSS 9.8 (April 20, 2026) — CRITICAL / CVSS 9.8