Skip to main content

Lines CVE-2026-33268

| EUVDEUVD-2026-15421 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-03-25 cisa-cg
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
12.3.6
EUVD ID Assigned
Mar 25, 2026 - 14:30 euvd
EUVD-2026-15421
Analysis Generated
Mar 25, 2026 - 14:30 vuln.today
CVE Published
Mar 25, 2026 - 14:21 nvd
MEDIUM 6.9

DescriptionCVE.org

Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A remote, unauthenticated attacker can upload firmware files on the device and consume storage resources. Fixed in 12.3.6.

AnalysisAI

Nanoleaf Lines firmware versions prior to 12.3.6 lack authentication controls on firmware file upload endpoints, allowing remote unauthenticated attackers to upload arbitrary files to the device. This vulnerability enables denial-of-service attacks through storage resource exhaustion and potential firmware tampering without requiring valid credentials or user interaction. The vulnerability has a CVSS score of 6.5 (Medium) with network-based attack vector and low complexity, and is tagged with denial-of-service impact indicators in CISA reporting.

Technical ContextAI

The vulnerability exists in Nanoleaf Lines smart lighting controllers (CPE: cpe:2.3:a:nanoleaf:lines:*:*:*:*:*:*:*:*) which are IoT devices that manage LED light arrays through firmware and configuration updates. The root cause is classified under CWE-400 (Uncontrolled Resource Consumption), specifically stemming from missing authentication mechanisms on firmware upload endpoints. The device firmware update process fails to verify the identity or authorization of upload requests before accepting and storing files, allowing any network-accessible attacker to submit malicious or oversized payloads that consume finite device storage resources without authentication or prior privilege escalation.

RemediationAI

Immediately upgrade Nanoleaf Lines devices to firmware version 12.3.6 or later, which patches the authentication bypass. Users should access device settings through the Nanoleaf mobile application or web interface to trigger firmware update checks, or manually download the latest firmware from the Nanoleaf support website and upload it through an authenticated session only after applying this patch. As a temporary workaround pending patch deployment, restrict network access to Nanoleaf Lines devices by implementing network segmentation (VLAN isolation or firewall rules limiting device access to trusted administrative subnets only) and disabling remote management features if available. Monitor device storage usage for signs of exploitation (unexpected file uploads consuming disk space). Refer to the CISA advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-084-01.json for additional hardening guidance.

Share

CVE-2026-33268 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy