Synology: Two Security Advisories on Resolved Vulnerabilities
SA-26:04 concerning Mail Station, and SA-26:03 on GNU Inetutils
This is a Press Release edited by StorageNewsletter.com on April 9, 2026 at 2:00 pmSynology, Inc. had published 2 securities advisories concerning resolved vulnerabilities.
Synology-SA-26:04 Mail Station
Publish Time: 2026-03-31 13:37:19 UTC+8
Last Updated: 2026-03-31 13:37:33 UTC+8
Severity: Moderate
Status: Resolved
Abstract
Synology has released a security update for the Mail Station package in DSM to address a vulnerability:
-
-
-
CVE-2026-5129 allows remote authenticated users to read or write limited files.
-
-
Refer to the ‘Affected Products’ table for the corresponding updates.
Affected Products:
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
Mail Station for DSM 7.3 |
Moderate |
Upgrade to 30000001.3.19-20332 or above. |
|
Mail Station for DSM 7.2.2 |
Moderate |
Upgrade to 30000001.3.19-20332 or above. |
|
Mail Station for DSM 7.2.1 |
Moderate |
Upgrade to 30000001.3.19-20332 or above. |
Mitigation: None
Detail
- CVE-2026-5129
- Severity: Moderate
- CVSS3 Base Score: 6.3
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
Acknowledgement: chris.au
Revision:
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2026-03-31 |
Initial public release. |
Synology-SA-26:03 GNU Inetutils
Publish Time: 2026-03-19 14:32:42 UTC+8
Last Updated: 2026-03-31 14:13:55 UTC+8
Severity: Critical
Status: Resolved
Abstract
Synology has released a security update for DiskStation Manager (DSM) to address an issue in the telnetd of GNU Inetutils.
-
CVE-2026-32746 may allow unauthenticated remote attackers to execute arbitrary commands
Refer to the Affected Products table for the corresponding updates.
Affected Products:
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
DSM 7.3 |
Critical |
Upgrade to 7.3.2-86009-3 or above. |
|
DSM 7.2.2 |
Critical |
Upgrade to 7.2.2-72806-8 or above. |
|
DSM 7.2.1 |
Critical |
Upgrade to 7.2.1-69057-11 or above. |
|
DSMUC 3.1 |
Critical |
Upgrade to 3.1.5-23082 or above. |
|
BeeStation OS 1.4 |
Not affected |
N/A |
|
SRM 1.3 |
Not affected |
N/A |
|
VS600HD 1.2 |
Not affected |
N/A |
Mitigation
It is recommended to disable the Telnet service to reduce potential risk.
This can be done by navigating to Control Panel > Terminal, uncheck Enable Telnet service, and then click Apply.
Detail
- CVE-2026-32746
- Severity: Critical
- CVSS3 Base Score: 9.8
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
- telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full
Reference: CVE-2026-32746
Revision:
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2026-03-19 |
Initial public release. |
|
2 |
2026-03-31 |
Update for DSMUC 3.1 is now available in Affected Products. |
Subscribe to our free daily newsletter
