Skip to main content

Triofox EUVDEUVD-2026-32645

| CVE-2026-8360 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-27 tenable GHSA-8h36-w88j-j75h
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
May 27, 2026 - 22:04 EUVD
Analysis Generated
May 27, 2026 - 20:53 vuln.today

DescriptionCVE.org

Function calls to WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface() in various DLLs (i.e., WOSProfileMgrModule.dll, WOSWebDavModule.dll) can return a NULL pointer (i.e., when no user is logged into the Triofox Server Agent Management Console). The returned NULL pointer is not checked before being dereferenced.

AnalysisAI

Denial of service in Gladinet Triofox lets remote unauthenticated attackers crash the Triofox Server Agent by triggering a NULL pointer dereference. The function WOSSysInfoGetDeviceInterface() in WOSCommonUtil.dll returns NULL whenever no user is logged into the Server Agent Management Console, and callers such as WOSProfileMgrModule.dll and WOSWebDavModule.dll dereference that pointer without checking it, causing a process crash. There is no public exploit identified at time of analysis and the issue affects only availability (CVSS 7.5).

Technical ContextAI

Triofox is Gladinet's enterprise file-sharing and remote-access platform; the affected component is the Triofox Server Agent, whose functionality is split across multiple native Windows DLLs. A shared helper, WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface(), is intended to return a device-interface handle but instead returns NULL under a specific runtime state - when no user session is active in the Server Agent Management Console. Consuming modules (WOSProfileMgrModule.dll for profile management, WOSWebDavModule.dll for WebDAV handling, and others) call this helper and immediately dereference the result. This maps to CWE-476 (NULL Pointer Dereference): the root cause is a missing return-value validation between a function that can legitimately return NULL and the code paths that assume a valid pointer, leading to an access violation that terminates the agent process.

RemediationAI

No vendor-released patch version was identified in the available data, so confirm the current fix status and affected version range directly against the Tenable advisory (https://www.tenable.com/security/research/TRA-2026-45) and Gladinet's official Triofox release notes, then upgrade to the vendor-fixed build once published. As compensating controls until a patch is confirmed: restrict network access to the Triofox Server Agent and its Management Console interface to trusted management networks via firewall/ACLs rather than exposing it to the internet (trade-off: legitimate remote-management workflows must originate from allowed ranges); keep an authenticated user session active in the Server Agent Management Console where operationally feasible, since the NULL is returned specifically when no user is logged in (trade-off: this is a fragile, partial mitigation, not a fix, as sessions expire); and monitor the agent process for unexpected crashes/restarts so DoS attempts are detected and the service can be auto-recovered. Do not invent a patch version - cite only what the vendor advisory confirms.

Share

EUVD-2026-32645 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy