Description
A NULL pointer dereference vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerability in the following version:
File Station 5 5.5.6.5208 and later
Published: 2026-06-10
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL pointer dereference vulnerability was identified in QNAP File Station 5, allowing a remote user who already has account credentials to trigger a denial‑of‑service attack. The flaw occurs when the application fails to validate a null pointer before dereferencing, causing the service to crash. Successful exploitation results in service interruption, impacting availability of the file share for all connected clients. No data loss or unauthorized access is observed from the provided information.

Affected Systems

The vulnerability affects QNAP Systems Inc.’s File Station 5 component. All releases before version 5.5.6.5208 are potentially impacted. Users running any earlier version should verify their installed build and plan to update accordingly.

Risk and Exploitability

With a CVSS score of 5.3, the vulnerability is categorized as moderate. The EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation. An attacker would need remote access to a legitimate user account, after which they can trigger the crash by interacting with the vulnerable service. Because the flaw requires authentication, the threat surface is reduced compared to fully unauthenticated vulnerabilities, but the impact to service availability could still disrupt business operations.

Generated by OpenCVE AI on June 10, 2026 at 04:22 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5208 and later

OpenCVE Recommended Actions

  • Upgrade QNAP File Station to version 5.5.6.5208 or later
  • Restrict access to the File Station service by configuring firewall rules or network segmentation to limit exposure to trusted networks
  • Enforce strong authentication practices, such as unique, complex passwords and two‑factor authentication, to prevent unauthorized access that could exploit the vulnerability

Generated by OpenCVE AI on June 10, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5208 and later
Title File Station 5
Weaknesses CWE-476
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-10T03:07:48.525Z

Reserved: 2026-01-13T07:49:08.784Z

Link: CVE-2026-22899

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T04:17:16.270

Modified: 2026-06-10T04:17:16.270

Link: CVE-2026-22899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T04:30:06Z

Weaknesses