Skip to main content

TeamSpeak 3 Server CVE-2026-4390

| EUVDEUVD-2026-32580 MEDIUM
Buffer Overflow (CWE-119)
2026-05-27 cna@vuldb.com GHSA-cr8m-87qj-3732
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:05 vuln.today

DescriptionCVE.org

A weakness has been identified in TeamSpeak 3 Server up to 3.13.7. This affects the function process_resend_queue of the component Connection State Management. This manipulation causes use after free. The attack may be initiated remotely. Upgrading to version 3.13.8 is able to mitigate this issue. The affected component should be upgraded.

AnalysisAI

Use-after-free in TeamSpeak 3 Server versions 3.13.0 through 3.13.7 allows a low-privileged remote attacker to corrupt server memory via the process_resend_queue function within Connection State Management, resulting in limited integrity and availability impact. Discovered and disclosed by modzero.com (advisory MZ-26-01) and acknowledged by TeamSpeak via official security advisory TS-SA-2026-001, the vendor has released version 3.13.8 as the fix. No public exploit code exists and no active exploitation has been identified at time of analysis.

Technical ContextAI

The vulnerability resides in the process_resend_queue function of TeamSpeak 3 Server's Connection State Management subsystem - a component responsible for handling connection lifecycle and retransmission logic. The root cause is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), with reporter tags further specifying a use-after-free condition, a subclass where code references a memory region after it has been deallocated. This can lead to heap corruption, potentially enabling controlled data manipulation or process crashes. The affected product covers the full TeamSpeak 3 Server 3.13.x line (3.13.0-3.13.7) as confirmed by ENISA EUVD-2026-32580. The independent security firm modzero.com identified and responsibly disclosed the issue; additional technical details are available in advisory MZ-26-01 at https://modzero.com/en/advisories/mz-26-01-teamspeak/.

RemediationAI

The primary and recommended fix is upgrading TeamSpeak 3 Server to version 3.13.8, which is confirmed by the vendor as resolving this vulnerability. The latest server binaries are available at https://www.teamspeak.com/en/downloads/#server, and the vendor's security advisory TS-SA-2026-001 at https://files.teamspeak-services.com/docs/security/TS-SA-2026-001.html provides authoritative patch confirmation. If immediate upgrading is not operationally feasible, administrators should restrict server access to a minimum set of trusted authenticated users and apply network-level firewall or VPN rules to limit which client IPs can establish connections, reducing the pool of potential attackers who could trigger the vulnerable code path - note this trade-off reduces service accessibility. No official vendor-documented workarounds short of patching have been identified in the available references.

Share

CVE-2026-4390 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy