{"api_version":"1","generated_at":"2026-04-23T05:59:12+00:00","cve":"CVE-2026-22627","urls":{"html":"https://cve.report/CVE-2026-22627","api":"https://cve.report/api/cve/CVE-2026-22627.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-22627","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-22627"},"summary":{"title":"CVE-2026-22627","description":"A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet FortiSwitchAXFixed 1.0.0 through 1.0.1 may allow an unauthenticated attacker within the same adjacent network to execute unauthorized code or commands on the device via sending a crafted LLDP packet.","state":"PUBLISHED","assigner":"fortinet","published_at":"2026-03-10 18:18:12","updated_at":"2026-04-09 20:54:45"},"problem_types":["CWE-120","CWE-120 Execute unauthorized code or commands"],"metrics":[{"version":"3.1","source":"psirt@fortinet.com","type":"Secondary","score":"8.8","severity":"HIGH","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.7","severity":"HIGH","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","data":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","version":"3.1"}}],"references":[{"url":"https://fortiguard.fortinet.com/psirt/FG-IR-26-086","name":"https://fortiguard.fortinet.com/psirt/FG-IR-26-086","refsource":"psirt@fortinet.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-22627","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22627","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Fortinet","product":"FortiSwitchAXFixed","version":"affected 1.0.0 1.0.1 semver","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Upgrade to FortiSwitchAX-Chassis version 1.0.0 or above\nUpgrade to FortiSwitchAXFixed version 1.0.2 or above","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"22627","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fortinet","cpe5":"fortiswitchaxfixed","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"22627","cve":"CVE-2026-22627","epss":"0.000320000","percentile":"0.090240000","score_date":"2026-04-15","updated_at":"2026-04-16 00:13:57"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-22627","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-03-12T14:37:35.216423Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-12T14:37:44.121Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"cpes":["cpe:2.3:a:fortinet:fortiswitchaxfixed:1.0.1:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortiswitchaxfixed:1.0.0:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","product":"FortiSwitchAXFixed","vendor":"Fortinet","versions":[{"lessThanOrEqual":"1.0.1","status":"affected","version":"1.0.0","versionType":"semver"}]}],"descriptions":[{"lang":"en","value":"A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet FortiSwitchAXFixed 1.0.0 through 1.0.1 may allow an unauthenticated attacker within the same adjacent network to execute unauthorized code or commands on the device via sending a crafted LLDP packet."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-120","description":"Execute unauthorized code or commands","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-10T16:44:12.887Z","orgId":"6abe59d8-c742-4dff-8ce8-9b0ca1073da8","shortName":"fortinet"},"references":[{"name":"https://fortiguard.fortinet.com/psirt/FG-IR-26-086","url":"https://fortiguard.fortinet.com/psirt/FG-IR-26-086"}],"solutions":[{"lang":"en","value":"Upgrade to FortiSwitchAX-Chassis version 1.0.0 or above\nUpgrade to FortiSwitchAXFixed version 1.0.2 or above"}]}},"cveMetadata":{"assignerOrgId":"6abe59d8-c742-4dff-8ce8-9b0ca1073da8","assignerShortName":"fortinet","cveId":"CVE-2026-22627","datePublished":"2026-03-10T16:44:12.887Z","dateReserved":"2026-01-08T06:49:28.868Z","dateUpdated":"2026-03-12T14:37:44.121Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-10 18:18:12","lastModifiedDate":"2026-04-09 20:54:45","problem_types":["CWE-120","CWE-120 Execute unauthorized code or commands"],"metrics":{"cvssMetricV31":[{"source":"psirt@fortinet.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:fortinet:fortiswitchaxfixed:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.0","versionEndExcluding":"1.0.2","matchCriteriaId":"1DE31518-C416-48C9-9B35-CA73232CDBB0"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"22627","Ordinal":"1","Title":"CVE-2026-22627","CVE":"CVE-2026-22627","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"22627","Ordinal":"1","NoteData":"A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet FortiSwitchAXFixed 1.0.0 through 1.0.1 may allow an unauthenticated attacker within the same adjacent network to execute unauthorized code or commands on the device via sending a crafted LLDP packet.","Type":"Description","Title":"CVE-2026-22627"}]}}}