Download our Latest Industry Report – Continuous Offensive Security Outlook 2026

Download Report
Back to Vulnerability List

Delta Electronics: Delta Electronics COMMGR2: Unauthenticated Stack-Based Buffer Overflow Enabling RCE

CVE-2026-3630 Critical Published
CVSS
9.8 Critical · Network · No PR
EPSS
0.00026 0.0% chance of exploit in 30d
CWE
CWE-787 Out-of-bounds Write
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Per Praetorian’s blog: “CVE-2026-3630 represents a critical out-of-bounds write vulnerability in Delta Electronics COMMGR2 … the vulnerability enables remote attackers to execute arbitrary code without authentication or user interaction.” NVD also classifies this as a stack-based buffer overflow (CWE-787).

Affected Packages / Versions

  • Package: Delta Electronics COMMGR2 (—)
  • Latest published version at triage time: See vendor advisory Delta-PCSA-2026-00005
  • Affected range: See vendor advisory Delta-PCSA-2026-00005 (Praetorian's blog defers to the vendor advisory for specific version ranges)
  • Patched version: See vendor advisory Delta-PCSA-2026-00005

Impact

Per Praetorian’s blog: COMMGR2 “is commonly deployed in industrial automation environments, including manufacturing, building automation, energy, and logistics sectors” and “typically runs on engineering workstations and servers that support Delta’s industrial control systems and automation equipment.” Praetorian’s blog: “Industrial environments where COMMGR2 is installed on operator or engineering workstations may face particular risk, as successful exploitation could potentially enable attackers to pivot into operational technology (OT) networks or manipulate industrial control configurations.” Praetorian notes “No evidence of active exploitation in the wild” at time of publication.

Severity Rationale

Per Praetorian’s blog: “The CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N indicates this is a network-accessible flaw with low attack complexity. It requires no privileges or user interaction. As a result, it earns a Critical 9.8 rating.”

Fix

Per Praetorian’s blog: “Delta Electronics has released a Product Cybersecurity Advisory (Delta-PCSA-2026-00005) addressing this vulnerability alongside CVE-2026-3631, indicating joint disclosure of multiple COMMGR2 security issues.”

Disclosure timeline

  • TBDReported to vendor
  • TBDPatch released (per Delta-PCSA-2026-00005)
  • Mar 19, 2026Public disclosure (per Praetorian cve-research listing)

Fix Commit(s)

    References

    Discovered by Praetorian Labs · Published April 29, 2026