Skip to main content

Dotouch XproUPF EUVDEUVD-2026-28983

| CVE-2026-8232 MEDIUM
Improper Resource Shutdown or Release (CWE-404)
2026-05-10 VulDB GHSA-637x-347r-m83j
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 10, 2026 - 06:30 vuln.today
Severity Changed
May 10, 2026 - 06:22 NVD
LOW MEDIUM
CVSS changed
May 10, 2026 - 06:22 NVD
3.5 (LOW) 5.1 (MEDIUM)
CVE Published
May 10, 2026 - 05:15 nvd
MEDIUM 5.1

DescriptionCVE.org

A vulnerability was found in Dotouch XproUPF 2.0.0-release-088aa7c4. This impacts the function vlib_worker_loop in the library /usr/xpro/upf/tools/libs/libvlib.so of the component UPF Process. The manipulation results in denial of service. The vendor was contacted early about this disclosure.

AnalysisAI

Denial of service in Dotouch XproUPF 2.0.0 through manipulation of the vlib_worker_loop function in libvlib.so allows local authenticated attackers to crash the UPF process. The vulnerability has CVSS 5.1 (AV:A/AC:L/PR:L) and targets availability rather than confidentiality or integrity. No public exploit code or active exploitation has been confirmed; the vendor was notified early during responsible disclosure.

Technical ContextAI

The vulnerability exists in libvlib.so, a core library component of the Dotouch XproUPF packet processing framework. The vlib_worker_loop function is part of the UPF Process component, which handles user plane forwarding logic in 5G/LTE infrastructure. The flaw is classified as CWE-404 (Improper Resource Validation), suggesting the function fails to properly validate or handle resources (memory, file descriptors, or processing state) during worker thread execution. When this validation is bypassed through crafted manipulation, the worker loop enters an invalid state leading to process termination. The attack surface is limited to local access (AV:A) and requires low privilege authenticated sessions (PR:L), constraining exploitation to internal network threats or compromised non-admin accounts.

RemediationAI

Contact Dotouch for an updated version of libvlib.so or XproUPF package that addresses CWE-404 resource validation in vlib_worker_loop. At minimum, apply vendor-released patches when available. If a patched version is not immediately available, implement compensating controls: (1) restrict local network access to XproUPF administrative interfaces using firewall rules or VLANs to limit who can reach the UPF from adjacent networks; (2) enforce strong authentication and audit logging for all local sessions to the UPF to detect suspicious access; (3) deploy process monitoring and automatic restart mechanisms (systemd watchdog, supervisor, or Kubernetes liveness probes) to minimize DoS impact if the vlib_worker_loop process crashes; (4) isolate development/test XproUPF instances from production traffic to reduce blast radius. Trade-off: network isolation may impact operational visibility or management access - coordinate with network operations. Monitor VulDB record 362449 and vendor advisories for patch availability.

Share

EUVD-2026-28983 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy