Skip to main content

TeamSpeak 3 Server CVE-2026-4391

| EUVDEUVD-2026-32585 MEDIUM
Buffer Overflow (CWE-119)
2026-05-27 cna@vuldb.com GHSA-h574-9fvh-93j7
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:05 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in TeamSpeak 3 Server up to 3.13.7. This vulnerability affects unknown code of the component ECC Key Parser. Such manipulation leads to heap-based buffer overflow. The attack may be launched remotely. Upgrading to version 3.13.8 is able to resolve this issue. It is suggested to upgrade the affected component.

AnalysisAI

Heap-based buffer overflow in TeamSpeak 3 Server's ECC Key Parser allows remote unauthenticated attackers to crash the server, causing a denial of service against all versions up to and including 3.13.7. The vulnerability was discovered and disclosed by modzero security research (advisory mz-26-01-teamspeak) with a coordinated vendor response resulting in TeamSpeak security advisory TS-SA-2026-001. A proof-of-concept exploit exists per SSVC data, and the attack is automatable, meaning exploitation can be scripted at scale against exposed TeamSpeak server instances. No public exploit identified as confirmed actively exploited in the wild (not listed in CISA KEV at time of analysis).

Technical ContextAI

The vulnerability resides in the ECC (Elliptic Curve Cryptography) Key Parser component of the TeamSpeak 3 Server daemon. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) covers the root cause: a heap-based buffer overflow triggered by a malformed or adversarially crafted ECC key input. ECC key parsing typically occurs during connection establishment or cryptographic handshake processing, meaning the vulnerable code path is reachable without authentication. Heap overflows in parsers of this nature can overwrite adjacent heap metadata or function pointers; in this case, the CVSS 4.0 impact metrics (VC:N/VI:N/VA:L) indicate the primary exploitable consequence observed is availability degradation (server crash/DoS) rather than confirmed arbitrary code execution, though heap corruption primitives in general may carry latent exploitation potential depending on heap layout. Affected versions span TeamSpeak 3 Server 3.13.0 through 3.13.7.

RemediationAI

The primary fix is upgrading TeamSpeak 3 Server to version 3.13.8, which resolves the heap buffer overflow in the ECC Key Parser. Patched binaries are available from the official TeamSpeak download page (https://www.teamspeak.com/en/downloads/#server); reference vendor advisory TS-SA-2026-001 (https://files.teamspeak-services.com/docs/security/TS-SA-2026-001.html) for upgrade guidance. If immediate patching is not feasible, a compensating control is to restrict access to the TeamSpeak server's listening port (default UDP 9987 for voice, TCP 10011 for ServerQuery, TCP 30033 for file transfer) to trusted IP ranges using firewall rules - this directly prevents remote exploitation by untrusted hosts but does not eliminate the vulnerability and may impact legitimate users. An additional short-term measure is to place the server behind a network-layer firewall that blocks unsolicited inbound connections, reducing the automated exploitation risk flagged by SSVC. Neither workaround substitutes for patching, as they only reduce exposure surface.

Share

CVE-2026-4391 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy