CVE-2026-2336 | Microchip IStaX up to 2026.2 webstax_auth entropy

VDB-357953 · CVE-2026-2336 · EUVD-2026-23272 MICROCHIP ISTAX UP TO 2026.2 WEBSTAX_AUTH ENTROPY HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 3.0 $0-$5k 1.83+ Summaryinfo A vulnerability, which was classified as problematic, has been found in Microchip IStaX up to 2026.2. This affects an unknown part. The manipulation of the argument webstax_auth leads to entropy. This vulnerability is listed as CVE-2026-2336. The attack may be initiated remotely. There is no available exploit. It is advisable to upgrade the affected component. Detailsinfo A vulnerability was found in Microchip IStaX up to 2026.2 and classified as problematic. This issue affects an unknown functionality. The manipulation of the argument webstax_auth with an unknown input leads to a entropy vulnerability. Using CWE to declare the problem leads to CWE-331. The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. Impacted is confidentiality. The summary by CVE is: A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a new cookie with administrative privileges.This issue affects IStaX before 2026.03. The weakness was presented by Rickard Jonsson. The advisory is shared at microchip.com. The identification of this vulnerability is CVE-2026-2336 since 02/11/2026. The exploitation is known to be difficult. The attack may be initiated remotely. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1600.001 for this issue. Upgrading to version 2026.03 eliminates this vulnerability. The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-23272). Productinfo Vendor Microchip Name IStaX Version 2026.0 2026.1 2026.2 CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 3.1 VulDB Meta Temp Score: 3.0 VulDB Base Score: 3.1 VulDB Temp Score: 3.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Entropy CWE: CWE-331 / CWE-330 / CWE-310 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: IStaX 2026.03 Timelineinfo 02/11/2026 CVE reserved 04/16/2026 +63 days Advisory disclosed 04/16/2026 +0 days VulDB entry created 04/16/2026 +0 days VulDB entry last update Sourcesinfo Advisory: microchip.com Researcher: Rickard Jonsson Status: Confirmed CVE: CVE-2026-2336 (🔒) GCVE (CVE): GCVE-0-2026-2336 GCVE (VulDB): GCVE-100-357953 EUVD: 🔒 Entryinfo Created: 04/16/2026 21:32 Updated: 04/16/2026 21:54 Changes: 04/16/2026 21:32 (35), 04/16/2026 21:33 (33), 04/16/2026 21:54 (1) Complete: 🔍 Cache ID: 99:4C5:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸