High

Out-of-bounds write in Siemens CPCI85/SICORE XML parser

IdentifiersCVE-2026-27664CWE-787· Out-of-bounds Write

CVE-2026-27664 is an out-of-bounds write vulnerability affecting Siemens CPCI85 Central Processing/Communication (all versions earlier than V26.10) and SICORE Base system (all versions earlier than V26.10.0). The flaw is triggered while parsing specially crafted XML input. Supporting analysis indicates the issue is rooted in XML parsing logic using libexpat callback handlers in affected binaries including IHI00.elf and RTUM85.elf: when XML tag depth exceeds an internal limit, parser state handling becomes inconsistent, and the end-element handler performs out-of-bounds access on user-controlled parser state, resulting in null-byte writes beyond the intended buffer boundary. An unauthenticated remote attacker can send a crafted XML POST request to trigger memory corruption, causing the service to crash; the advisory also notes the memory corruption may potentially enable remote code execution, although the primary documented impact is denial of service.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can crash the affected service and cause a denial-of-service condition. Reported proof-of-concept behavior includes crashing the IHI00.elf application, after which a watchdog process may reboot the device. Supporting research further states the out-of-bounds write can write null bytes to an arbitrary memory address beyond the buffer location, including stack-adjacent memory, which may increase the possibility of more severe outcomes such as remote code execution; however, the vendor-described and CVSS-scored impact is primarily availability loss.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict network access to the affected devices and exposed web/XML interfaces. Apply network segmentation, place affected OT devices behind firewalls, use VPNs for remote access, minimize or eliminate direct internet exposure, and isolate control-system networks from business networks. More generally, limit access to trusted management networks and reduce the ability of unauthenticated parties to submit XML requests to the vulnerable service.

Remediation

Patch, then assume compromise.

Upgrade affected Siemens components to fixed versions. Specifically, update CPCI85 Central Processing/Communication to V26.10 or later and SICORE Base system to V26.10.0 or later. Siemens recommends applying the vendor-provided security updates using the corresponding tooling and documented procedures, validating updates before deployment, and supervising the update process with trained staff.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

SiemensCpci85 Central Processing/Communicationapplication

SiemensSicore Base Systemoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

cvefeed high severityNews

Mar 26, 2026

CVE-2026-27664 - "SICORE CPCI85 XML Denial-of-Service Out-of-Bounds Write Vulnerability"

An out-of-bounds write vulnerability in Siemens CPCI85 Central Processing/Communication and SICORE Base system that can be triggered via specially crafted XML input, allowing an unauthenticated attacker to cause a denial-of-service condition.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-27664

NVD

nvd.nist.gov/vuln/detail/CVE-2026-27664

MITRE CWE · CWE-787

Out-of-bounds Write

seclists.org

seclists.org/fulldisclosure/2026/Apr/7

cert-portal.siemens.com

cert-portal.siemens.com/productcert/html/ssa-246443.html