Skip to main content

CVE-2026-0209

| EUVDEUVD-2026-22656 MEDIUM
Operator Precedence Logic Error (CWE-783)
2026-04-14 psirt@purestorage.com GHSA-jhcx-2f94-4747
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 19:43 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 18:22 euvd
EUVD-2026-22656
Analysis Generated
Apr 14, 2026 - 18:22 vuln.today
CVE Published
Apr 14, 2026 - 18:16 nvd
MEDIUM 6.9

DescriptionCVE.org

Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured.

AnalysisAI

FlashArray Purity applies snapshot retention policies with timing deviations from configured schedules, allowing authenticated administrators to inadvertently trigger premature or delayed data lifecycle actions. This affects FlashArray versions 5.0.0 through 6.10.0, impacting data retention integrity and compliance posture. The vulnerability requires high administrative privileges to exploit and results in integrity compromise of snapshot management operations.

Technical ContextAI

FlashArray Purity is Pure Storage's data management and protection layer for all-flash arrays, responsible for enforcing snapshot lifecycle policies including retention, replication, and deletion schedules. The vulnerability resides in the policy application scheduling logic (CWE-783: Operator Precedence Logic Error), where conditional logic or arithmetic calculations governing policy trigger timing produce incorrect execution windows. This affects the temporal consistency of snapshot operations across the storage platform, potentially causing snapshots to be retained beyond their intended deletion window or prematurely removed before the configured hold period expires. The issue manifests under specific administrative configurations that interact with the policy scheduler in unexpected ways.

RemediationAI

Pure Storage has released patched versions; administrators should upgrade to versions later than those listed in the ENISA EUVD affected range (e.g., 5.3.22 or later for the 5.x line, 6.11.0 or later for the 6.x line pending vendor confirmation). Before patching, verify snapshot retention policies are functioning as intended by manually reviewing recent snapshot deletion logs and comparing against policy configuration. Contact Pure Storage PSIRT (psirt@purestorage.com) for patch availability timeline if your version is not yet covered by a released fix. No workarounds are available beyond manual policy enforcement verification.

Share

CVE-2026-0209 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy