Skip to main content

ASR Kestrel EUVDEUVD-2026-26358

| CVE-2026-42799 HIGH
Out-of-bounds Read (CWE-125)
2026-04-30 ASR
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Patch available
Apr 30, 2026 - 15:31 EUVD
Patch released
Apr 30, 2026 - 15:09 nvd
Patch available
Analysis Generated
Apr 30, 2026 - 09:30 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 09:00 euvd
EUVD-2026-26358
Analysis Generated
Apr 30, 2026 - 09:00 vuln.today
CVE Published
Apr 30, 2026 - 08:36 nvd
HIGH 7.4

DescriptionCVE.org

Out-of-bounds read vulnerability in ASR Kestrel (nr_fw modules) allows Overflow Buffers.

This vulnerability is associated with program files Code/Nr/nr_fw/RA/src/NrPwrCtrl.C.

This issue affects Kestrel: before 2026/02/10.

AnalysisAI

Out-of-bounds read in ASR Kestrel's nr_fw power control module enables authenticated remote attackers to trigger buffer overflow conditions, potentially disclosing sensitive information and compromising system integrity with low-to-moderate impact across security boundaries. Exploitable over the network with low complexity by attackers holding low-privilege credentials. EPSS data unavailable; not currently listed in CISA KEV. Vendor advisory confirms patch released February 10, 2026.

Technical ContextAI

The vulnerability resides in the nr_fw module's power control component (NrPwrCtrl.C), part of ASR Kestrel's Radio Access (RA) subsystem for New Radio (5G NR) functionality. CWE-125 out-of-bounds read occurs when code accesses memory beyond allocated buffer boundaries without writing, typically during parsing or data processing operations. In telecommunications baseband processors and firmware, such flaws can expose cryptographic material, configuration data, or adjacent memory contents. The affected CPE string (cpe:2.3:a:asr:kestrel:*:*:*:*:*:*:*:*) indicates impact across all Kestrel versions prior to the February 2026 release, suggesting the flaw existed in the power control logic across multiple firmware iterations.

RemediationAI

Upgrade ASR Kestrel firmware to the version released on or after February 10, 2026, which addresses the out-of-bounds read in the nr_fw power control module. Consult the vendor Product Security Incident Response Team (PSIRT) advisory at https://www.asrmicro.com/en/goods/psirt?cid=44 for specific firmware build numbers, installation procedures, and compatibility notes for your deployment. If immediate patching is infeasible in production telecommunications environments, implement network segmentation to restrict access to Kestrel management interfaces to trusted administrator networks only, reducing exposure to the PR:L (low-privilege authenticated) attack vector. Monitor authentication logs for suspicious low-privilege account activity targeting nr_fw module endpoints. Consider application-layer firewall rules to block unusual power control API requests if such granular controls are supported. Note that access restrictions reduce exploitation probability but do not eliminate the underlying memory safety flaw-patching remains the definitive remediation.

CVE-2025-49480 HIGH
7.4 Jul 01

Out-of-bounds access in ASR180x 、ASR190x in lte-telephony, This vulnerability is associated with program files apps/lz

CVE-2025-49492 HIGH
7.4 Jul 01

Out-of-bounds write in ASR180x in lte-telephony, May cause a buffer underrun.  This vulnerability is associated with pr

CVE-2025-49483 MEDIUM
5.4 Jul 01

Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in tr069 modules allows Resource Leak Exposure.

CVE-2025-49482 MEDIUM
5.4 Jul 01

Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in tr069 modules allows Resource Leak Exposure.

CVE-2025-49481 MEDIUM
5.4 Jul 01

Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in router modules allows Resource Leak Exposure.

CVE-2025-49491 MEDIUM
5.4 Jul 01

Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linux、Kestrel、Lapwing_Linux on Linux (traffic_stat mod

CVE-2025-49488 MEDIUM
5.4 Jul 01

Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in router components allows Resource Leak Ex

CVE-2025-49490 MEDIUM
5.4 Jul 01

Resource leak vulnerability in ASR180x in router allows Resource Leak Exposure. This vulnerability is associated with p

CVE-2025-49489 MEDIUM
5.4 Jul 01

Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linux、Kestrel、Lapwing_Linux on Linux (con_mgr compon

CVE-2025-5072 MEDIUM
5.4 Jul 01

Resource leak vulnerability in ASR180x、ASR190x in con_mgr allows Resource Leak Exposure.This issue affects Falcon_Linux、

Share

EUVD-2026-26358 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy