Skip to main content

openSeaChest EUVDEUVD-2026-34045

| CVE-2026-10719 LOW
Out-of-bounds Write (CWE-787)
2026-06-02 c6156efd-4bd0-48d7-8520-680200527478 GHSA-6rch-j2wj-8h2j
1.8
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
1.8 LOW
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:L/U:Clear

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:L/U:Clear
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
N

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 23:32 vuln.today

DescriptionCVE.org

Out of bounds write in openSeaChest’s --showSupportedFormats in Seagate’s openSeaChest v25.05.3 on all supported platforms allows for writing 1 extra byte outside of allocated memory which sets a value to 1 via a maliciously crafted NVMe device with a bogus value in the namespace FLBAS byte.

AnalysisAI

Out-of-bounds write in openSeaChest v25.05.3's --showSupportedFormats command allows a high-privileged local attacker to corrupt one byte beyond an allocated buffer by presenting a maliciously crafted NVMe device with a bogus namespace FLBAS (Format LBA Size) value, forcing that byte to 1. Affected platforms include all systems supported by the toolkit. With a CVSS 4.0 score of 1.8, this is a minimal-severity issue requiring both high privileges and a specially crafted physical or emulated NVMe device; no public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

openSeaChest is Seagate's open-source cross-platform CLI toolkit for storage device diagnostics and management. The vulnerable code path is invoked via the --showSupportedFormats subcommand, which reads NVMe namespace metadata including the FLBAS byte - a field encoding the current LBA format index in use. When a malicious NVMe device returns an out-of-range or unexpected FLBAS value, the parsing routine writes one byte past the end of an allocated memory region (CWE-787: Out-of-bounds Write), setting it to the value 1. This is a classic off-by-one boundary error triggered by unsanitized device-supplied data. The CVSS 4.0 vector (AV:L/AC:H/AT:P/PR:H) confirms the vulnerability class: local access, high attack complexity, a specific attack target prerequisite (the crafted NVMe device must be present), and high privilege requirements, all of which bound the realistic exploitation surface sharply.

Affected ProductsAI

Seagate openSeaChest version v25.05.3 is affected across all supported platforms - including Linux, Windows, and other operating systems the toolkit supports, as explicitly stated in the CVE description. No CPE string was provided in the available data. Vendor-authoritative details are published at the Seagate product security advisory page (https://www.seagate.com/product-security/#security-advisories) and the openSeaChest software page (https://www.seagate.com/support/software/seachest/).

RemediationAI

Consult Seagate's security advisory at https://www.seagate.com/product-security/#security-advisories for an updated release. No exact patched version number was confirmed in the available data - the patch status is 'patch available per vendor advisory' but the specific fix version is not independently verified from provided references. As compensating controls pending a confirmed patch: restrict execution of openSeaChest (particularly the --showSupportedFormats subcommand) to only explicitly authorized administrators, reducing exposure from the PR:H prerequisite; enforce OS-level storage device allowlisting (e.g., udev rules on Linux, Windows Device Installation policies) to prevent unauthorized or emulated NVMe devices from being recognized by the system, which directly eliminates the AT:P attack target prerequisite; and audit environments where untrusted storage hardware may be connected. The CVSS vector notes automatic recoverability (R:A), suggesting corruption effects may be transient. No side effects from device allowlisting beyond blocking unapproved hardware attachment are expected.

Share

EUVD-2026-34045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy