Skip to main content

Dell PowerProtect Data Domain CVE-2026-56085

| EUVDEUVD-2026-41538 LOW
Use of Uninitialized Resource (CWE-908)
2026-07-03 security_alert@emc.com GHSA-m8g3-j6vx-2gv9
3.3
CVSS 3.1 · Vendor: emc

Severity by source

Vendor (emc) PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
3.3 LOW

Local access with low privileges required per description; only partial confidentiality impact from uninitialized memory read; no integrity or availability impact; scope unchanged.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (emc).

CVSS VectorVendor: emc

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jul 03, 2026 - 14:01 EUVD
Analysis Generated
Jul 03, 2026 - 13:32 vuln.today

DescriptionCVE.org

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain an use of uninitialized resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to information exposure.

AnalysisAI

Information exposure in Dell PowerProtect Data Domain across multiple release tracks allows a low-privileged local attacker to read sensitive residual data via an uninitialized memory resource (CWE-908). The flaw spans the mainline 7.7.1.0-8.7 branch and three LTS tracks (LTS2024, LTS2025, LTS2026), confirmed by Dell via advisory DSA-2026-278. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged local account on appliance
Delivery
Authenticate to local session
Exploit
Invoke vulnerable code path
Execution
Read uninitialized memory buffer
Persist
Capture residual sensitive data
Impact
Exfiltrate information

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated local session on the Dell PowerProtect Data Domain appliance with at least low-level privileges, confirmed by the CVSS vector PR:L and AV:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.3 (Low) score is well-calibrated to the realistic risk profile: AV:L eliminates remote exploitation entirely, PR:L requires an authenticated foothold, and C:L means only partial data exposure rather than full system compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user with an existing local session on the Data Domain appliance - such as a restricted OS-level or application account - invokes a code path that reads from an uninitialized memory buffer, capturing residual data left by a prior process. The leaked contents could include configuration values, backup metadata, or other sensitive in-memory artifacts depending on timing and system state. …
Remediation Consult Dell advisory DSA-2026-278 at https://www.dell.com/support/kbdoc/en-us/000481268/dsa-2026-278-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities for the specific fixed versions applicable to each release track. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-29987 HIGH
8.8 Apr 03

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) versions prior to 8.3.0.15 contain an Insufficie

CVE-2026-56086 HIGH
8.8 Jul 08

Improper authorization enforcement in Dell PowerProtect Data Domain (versions 7.7.1.0 through 8.6, plus LTS branches 8.6

CVE-2024-37140 HIGH
8.8 Jun 26

Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 contain an OS command injection v

CVE-2024-29176 HIGH
8.8 Jun 26

Dell PowerProtect DD, version(s) 8.0, 7.13.1.0, 7.10.1.30, 7.7.5.40, contain(s) an Out-of-bounds Write vulnerability. Ra

CVE-2026-53482 HIGH
7.5 Jul 08

Denial of service in Dell PowerProtect Data Domain (DDOS versions 7.7.1.0 through 8.7, plus LTS2026 8.6.1.0-8.6.1.10, LT

CVE-2024-45759 HIGH
7.3 Nov 08

Dell PowerProtect Data Domain, versions prior to 8.1.0.0, 7.13.1.10, 7.10.1.40, and 7.7.5.50, contains an escalation of

CVE-2024-48010 HIGH
7.2 Nov 08

Dell PowerProtect DD, versions prior to 8.1.0.0, 7.13.1.10, 7.10.1.40, and 7.7.5.50, contains an access control vulnerab

CVE-2026-41122 HIGH
7.1 Jul 08

Stored cross-site scripting in Dell PowerProtect Data Domain (DD OS 7.7.1.0 through 8.7, plus the LTS2026 8.6.1.x, LTS20

CVE-2024-37138 MEDIUM
6.8 Jun 26

Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 on DDMC contain a relative path t

CVE-2026-54483 MEDIUM
6.7 Jul 03

OS command injection in Dell PowerProtect Data Domain enables a high-privileged local attacker to execute arbitrary oper

CVE-2026-26355 MEDIUM
6.5 Jul 03

OS command injection in Dell PowerProtect Data Domain across four version release trains allows a high-privileged remote

CVE-2025-46645 MEDIUM
6.5 Jan 09

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.

Share

CVE-2026-56085 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy