An integer overflow or wraparound flaw exists in QNAP's QTS and QuTS hero operating systems. The weakness allows a malicious actor who has gained an administrator account to exploit memory handling logic, potentially altering program execution flow or corrupting data. This can lead to unauthorized system compromise, data theft, or further escalation of privileges. The flaw is formally categorized under CWE‑121 (Stack-based Buffer Overflow) and CWE‑190 (Integer Overflow or Wraparound).

The vulnerability affects QNAP Systems Inc.'s QTS and QuTS hero firmware. Specifically, any install of QTS older than build 20260214 in version 5.2.9.3410 or later releases, QuTS hero h5.2.9.3410 earlier than build 20260214, QuTS hero h5.3.4.3500 before build 20260520, and QuTS hero h6.0.0.3397 prior to build 20260206 are susceptible. Firmware versions before these builds lack the necessary patch to prevent the overflow.

The CVSS score of 5.1 indicates moderate severity. EPSS data is not available, so the likelihood of exploitation cannot be quantified. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires remote access combined with an administrative account, meaning attackers that can compromise or guess admin credentials can potentially launch the overflow attack. Because the flaw involves integer handling, a successful exploit could allow arbitrary code execution or arbitrary privilege escalation on the affected device.