CVE-2026-24716: QNAP NULL Pointer Dereference DoS Vulnerability – Patch Guidance
A NULL pointer dereference flaw in QNAP NAS operating systems allows authenticated administrators to crash the system and cause a denial-of-service. An attacker must already have administrator credentials to exploit this vulnerability, which limits the attack surface but remains a significant risk for organizations where admin accounts may be compromised or insider threats exist. QNAP has released patched versions across multiple OS lines to address this issue.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-30
NVD description (verbatim)
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-24716 is a NULL pointer dereference (CWE-476) affecting QNAP QTS and QuTS hero operating systems. The vulnerability requires high-privilege authentication (administrator account) to trigger, meaning an attacker must obtain valid admin credentials before exploitation is possible. When successfully triggered, the flaw causes the affected process to dereference a null pointer, resulting in an unhandled exception that crashes the service or OS, enabling a denial-of-service condition. The CVSS 3.1 score of 7.2 reflects the high-privilege prerequisite offset by high impact across confidentiality, integrity, and availability dimensions.
Business impact
Organizations running vulnerable QNAP NAS systems face operational disruption if an administrator account is compromised. Depending on the NAS role, a DoS attack could interrupt file services, backup operations, or surveillance storage, leading to data unavailability and potential SLA breaches. The high-privilege requirement somewhat limits exposure compared to unauthenticated RCE, but insider threats and credential compromise remain realistic attack vectors. Recovery from a crash may also require manual intervention, extending downtime.
Affected systems
QNAP QTS and QuTS hero platforms are affected across multiple versions. Patched builds include QTS 5.2.9.3492 (20260507 and later), QuTS hero h5.2.9.3499 (20260514 and later), QuTS hero h5.3.4.3500 (20260520 and later), and QuTS hero h6.0.0.3459 (20260409 and later). Organizations should verify their current build numbers against these patch thresholds to determine exposure.
Exploitability
Exploitability is moderate. While a NULL pointer dereference is a well-understood vulnerability class, the requirement for administrator authentication significantly restricts who can trigger it. No public exploit code or active in-the-wild exploitation has been reported. The vulnerability is not on CISA's Known Exploited Vulnerabilities (KEV) catalog. An attacker must first compromise or be granted legitimate admin access, making this a post-authentication attack rather than a primary entry point.
Remediation
Apply the patched QNAP OS versions immediately. For each product line, update to the minimum build version specified: QTS 5.2.9.3492 build 20260507 or later, or the appropriate QuTS hero h-series build. Test patches in a non-production environment before broad deployment to ensure compatibility with existing configurations. Consider enforcing strong password policies and multi-factor authentication for administrator accounts to reduce credential compromise risk.
Patch guidance
QNAP has released patches across all affected OS versions. Consult the QNAP security advisory for your specific NAS model and current OS version to identify the required build. Patching can typically be performed through the system management interface, though administrators should schedule updates during maintenance windows to minimize service disruption. Verify successful patch installation by confirming the build number matches or exceeds the patched threshold. If you operate multiple NAS appliances, prioritize units storing critical data or supporting mission-critical services.
Detection guidance
Monitor for unexpected crashes or service restarts of QNAP NAS systems, particularly those occurring shortly after administrative console access. Review system logs and audit trails for unusual administrator account activity or failed authentication attempts that might indicate credential compromise. Network-based detection is limited due to the post-authentication nature; focus on endpoint and application-level logging. Consider triggering alerts on rapid successive admin logins from unusual locations or IPs.
Why prioritize this
This vulnerability merits prompt but measured attention. The HIGH severity score and broad product range affected justify timely patching. However, the administrator-only requirement reduces immediate risk compared to unauthenticated vulnerabilities. Prioritize patching for NAS systems exposed to untrusted networks or those with weaker administrative access controls. Organizations with robust admin account hygiene (strong passwords, MFA, limited privilege delegation) can sequence this slightly lower than critical RCE vulnerabilities.
Risk score, explained
The CVSS 3.1 score of 7.2 (HIGH) reflects three factors: (1) network-accessible attack vector with no user interaction required once authenticated, (2) high-privilege requirement that gates exploitation, and (3) complete impact on availability (DoS) with stated high impact on confidentiality and integrity. The privileged access prerequisite prevents a critical rating but does not eliminate significant risk, particularly for organizations with larger admin teams or weaker credential management.
Frequently asked questions
Can this vulnerability be exploited without administrator credentials?
No. The vulnerability requires high-privilege administrator authentication to trigger. An attacker must first obtain or be granted legitimate admin account access. This significantly limits exposure compared to unauthenticated vulnerabilities, but insider threats and compromised credentials remain realistic concerns.
What happens when the vulnerability is exploited?
Exploitation causes a NULL pointer dereference that crashes the affected service or operating system, resulting in denial-of-service. The system becomes unavailable until manual or automatic recovery occurs. There is no data exfiltration or system compromise; the impact is strictly availability-related.
Is this vulnerability actively being exploited in the wild?
No public exploit code or active exploitation has been reported. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog. However, organizations should not rely solely on lack of known exploitation as justification to delay patching, particularly if admin credentials may be at risk.
Do I need to patch all QNAP systems immediately, or can I prioritize?
Prioritize NAS systems that store critical data, support mission-critical services, or are accessible to untrusted network segments. Systems with strong administrative access controls and restricted user bases can be sequenced slightly lower. However, all vulnerable systems should be patched within a defined maintenance window to maintain security posture.
This analysis is based on publicly disclosed vulnerability information as of June 2026. Patch version numbers and build dates are derived from the QNAP security advisory and should be verified against official QNAP documentation before deployment. Organizations should perform their own risk assessment and testing in non-production environments. This document is provided for informational purposes and does not constitute professional security advice. Consult with your security team and QNAP support for implementation guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-62850HIGHQNAP QuTS hero NULL Pointer Dereference DoS Vulnerability
- CVE-2025-66281HIGHQNAP NULL Pointer Dereference DoS Vulnerability (HIGH)
- CVE-2026-22899MEDIUMQNAP File Station 6 NULL Pointer Dereference DoS Vulnerability
- CVE-2025-55657HIGHGPAC MP4Box NULL Pointer Dereference Denial of Service
- CVE-2025-59604HIGHQualcomm Snapdragon Memory Corruption Vulnerability – HIGH Severity
- CVE-2025-59606HIGHQualcomm Chipset Memory Corruption Local Privilege Escalation
- CVE-2025-70099HIGHNULL Pointer Dereference in lwext4 Directory Parsing (Denial of Service)
- CVE-2026-3238HIGHSamba WINS Server NULL Pointer Dereference DoS Vulnerability