Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured.
AnalysisAI
FlashArray Purity applies snapshot retention policies with timing deviations from configured schedules, allowing authenticated administrators to inadvertently trigger premature or delayed data lifecycle actions. This affects FlashArray versions 5.0.0 through 6.10.0, impacting data retention integrity and compliance posture. The vulnerability requires high administrative privileges to exploit and results in integrity compromise of snapshot management operations.
Technical ContextAI
FlashArray Purity is Pure Storage's data management and protection layer for all-flash arrays, responsible for enforcing snapshot lifecycle policies including retention, replication, and deletion schedules. The vulnerability resides in the policy application scheduling logic (CWE-783: Operator Precedence Logic Error), where conditional logic or arithmetic calculations governing policy trigger timing produce incorrect execution windows. This affects the temporal consistency of snapshot operations across the storage platform, potentially causing snapshots to be retained beyond their intended deletion window or prematurely removed before the configured hold period expires. The issue manifests under specific administrative configurations that interact with the policy scheduler in unexpected ways.
RemediationAI
Pure Storage has released patched versions; administrators should upgrade to versions later than those listed in the ENISA EUVD affected range (e.g., 5.3.22 or later for the 5.x line, 6.11.0 or later for the 6.x line pending vendor confirmation). Before patching, verify snapshot retention policies are functioning as intended by manually reviewing recent snapshot deletion logs and comparing against policy configuration. Contact Pure Storage PSIRT (psirt@purestorage.com) for patch availability timeline if your version is not yet covered by a released fix. No workarounds are available beyond manual policy enforcement verification.
Same weakness CWE-783 – Operator Precedence Logic Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22656
GHSA-jhcx-2f94-4747