Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in TeamSpeak 3 Server up to 3.13.7. This issue affects some unknown processing of the component clientek Handshake Handler. Performing a manipulation of the argument proof results in reachable assertion. Remote exploitation of the attack is possible. Upgrading to version 3.13.8 is capable of addressing this issue. Upgrading the affected component is recommended.
AnalysisAI
Reachable assertion in TeamSpeak 3 Server's client handshake handler allows remote unauthenticated attackers to crash the server by manipulating the 'proof' argument during connection setup, resulting in a denial of service. All versions from 3.13.0 through 3.13.7 are affected; the issue was independently researched by modzero and disclosed via TeamSpeak security advisory TS-SA-2026-001. No public exploit or CISA KEV listing exists at time of analysis, but the low-complexity, no-privileges-required attack surface makes this straightforward to trigger remotely.
Technical ContextAI
TeamSpeak 3 Server implements a proprietary client-server protocol with a handshake phase during connection establishment. The vulnerable component is the client handshake handler ('clientek Handshake Handler'), specifically the processing of a 'proof' argument exchanged during the handshake. CWE-617 (Reachable Assertion) indicates that an assert() or equivalent defensive check within the handshake parsing code can be triggered by supplying unexpected or malformed input for the 'proof' field, causing the server process to abort rather than gracefully reject the connection. This is a logic/defensive-programming flaw rather than a memory safety issue - the assertion was likely intended as an internal invariant check but is reachable via externally controlled input. Affected CPE covers TeamSpeak 3 Server versions 3.13.0 through 3.13.7 on all supported platforms.
RemediationAI
Upgrade to TeamSpeak 3 Server version 3.13.8, which resolves this vulnerability per the vendor advisory at https://files.teamspeak-services.com/docs/security/TS-SA-2026-001.html. The patched release is available at https://www.teamspeak.com/en/downloads/#server. If immediate patching is not possible, consider restricting access to the TeamSpeak server port (default UDP 9987) to trusted IP ranges using firewall rules - this limits the remote attack surface but will prevent legitimate users from connecting from outside those ranges. There is no documented workaround that disables only the vulnerable handshake proof processing without also blocking client connections entirely. Given the DoS-only impact and availability of a vendor patch, upgrading to 3.13.8 is the recommended and sufficient remediation.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32592
GHSA-jfq9-pq7p-655w