Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated remote trigger (AV:N/AC:L/PR:N/UI:N) with availability-only impact from a DoS integer overflow, so C:N/I:N/A:H and scope unchanged.
Primary rating from Vendor (emc).
CVSS VectorVendor: emc
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an Integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.
AnalysisAI
Denial of service in Dell PowerProtect Data Domain (DDOS versions 7.7.1.0 through 8.7, plus LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, and LTS2024 7.13.1.0-7.13.1.70) allows a remote, unauthenticated attacker to crash or hang the appliance by triggering an integer overflow (CWE-190). Per the CVSS vector (PR:N/UI:N), no authentication or user interaction is required, and the impact is confined to availability (C:N/I:N/A:H) - no data disclosure or code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerable component must be network-reachable by the attacker; per CVSS AV:N/AC:L/PR:N/UI:N no authentication, no user interaction, and no special product configuration are stated as prerequisites, so any exposed instance of the affected DDOS versions is theoretically reachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 7.5 (High) is driven entirely by remote reachability with no privileges or interaction (AV:N/AC:L/PR:N/UI:N) combined with a total availability impact (A:H) and no confidentiality or integrity impact - a classic unauthenticated DoS profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to the appliance sends a crafted request to the vulnerable DDOS network service containing a value that triggers the integer overflow in a size/length calculation, causing the service or appliance to crash and interrupting backup and restore operations. No credentials or user interaction are required per the CVSS vector, but no public POC has been identified, so exploitation would require the attacker to independently discover the affected code path. |
| Remediation | Upgrade DDOS to a Dell-fixed release per advisory DSA-2026-278 (https://www.dell.com/support/kbdoc/en-us/000481268/dsa-2026-278-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities); the input does not enumerate exact patched build numbers, so consult that advisory for the fixed version corresponding to your branch (mainline, LTS2026, LTS2025, or LTS2024) rather than relying on an assumed number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct inventory of all Dell PowerProtect Data Domain installations and identify running versions (affected: 7.7.1.0-8.7, LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, LTS2024 7.13.1.0-7.13.1.70). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Data Domain Operating System
View allDell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficie
Improper authorization enforcement in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.6, plus LTS branches 8.6
Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain an OS command injection v
Dell PowerProtect DD, version(s) 8.0, 7.13.1.0, 7.10.1.30, 7.7.5.40, contain(s) an Out-of-bounds Write vulnerability. Ra
Dell PowerProtect Data Domain, versions prior to 8.1.0.0, 7.13.1.10, 7.10.1.40, and 7.7.5.50, contains an escalation of
Dell PowerProtect DD, versions prior to 8.1.0.0, 7.13.1.10, 7.10.1.40, and 7.7.5.50, contains an access control vulnerab
Stored cross-site scripting in Dell PowerProtect Data Domain (DD OS 7.7.1.0 through 8.7, plus the LTS2026 8.6.1.x, LTS20
Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 on DDMC contain a relative path t
OS command injection in Dell PowerProtect Data Domain enables a high-privileged local attacker to execute arbitrary oper
OS command injection in Dell PowerProtect Data Domain across four version release trains allows a high-privileged remote
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.
Dell PowerProtect DD, versions prior to 7.7.5.50, contains an Exposure of Sensitive Information to an Unauthorized Actor
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42243
GHSA-4cxm-m972-4x2h