{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21422", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2025-12-24T16:33:47.095Z", "datePublished": "2026-03-04T12:57:38.774Z", "dateUpdated": "2026-04-30T08:26:50.159Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-04-30T08:26:50.159Z"}, "datePublic": "2026-02-24T18:30:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-15", "description": "CWE-15: External Control of System or Configuration Setting", "type": "CWE"}]}], "affected": [{"vendor": "Dell", "product": "PowerScale OneFS", "versions": [{"status": "affected", "version": "9.11.0.0 through 9.12.0.1", "lessThan": "9.13.0.0 or later", "versionType": "semver"}, {"status": "affected", "version": "9.10.0.0 through 9.10.1.5", "lessThan": "9.10.1.6 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Dell PowerScale OneFS, versions 9.10.0.0 through 9.13.1.0, contains an external control of system or configuration setting vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to protection mechanism bypass.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Dell PowerScale OneFS, versions 9.10.0.0 through <strong>9.13.1.0</strong>, contains an external control of system or configuration setting vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to protection mechanism bypass."}]}], "references": [{"url": "https://www.dell.com/support/kbdoc/en-sg/000432452/dsa-2026-038-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "LOW", "baseScore": 3.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T14:09:01.547846Z", "id": "CVE-2026-21422", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T14:09:13.906Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21422", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T14:09:01.547846Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T14:09:09.487Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.4, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "PowerScale OneFS", "versions": [{"status": "affected", "version": "9.11.0.0 through 9.12.0.1", "lessThan": "9.13.0.0 or later", "versionType": "semver"}, {"status": "affected", "version": "9.10.0.0 through 9.10.1.5", "lessThan": "9.10.1.6 or later", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-24T18:30:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-sg/000432452/dsa-2026-038-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Dell PowerScale OneFS, versions 9.10.0.0 through 9.10.1.5 and versions 9.11.0.0 through 9.12.0.1, contains an external control of system or configuration setting vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to protection mechanism bypass.", "supportingMedia": [{"type": "text/html", "value": "Dell PowerScale OneFS, versions 9.10.0.0 through 9.10.1.5 and versions 9.11.0.0 through 9.12.0.1, contains an external control of system or configuration setting vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to protection mechanism bypass.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-15", "description": "CWE-15: External Control of System or Configuration Setting"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-03-04T12:57:38.774Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21422", "state": "PUBLISHED", "dateUpdated": "2026-03-04T14:09:13.906Z", "dateReserved": "2025-12-24T16:33:47.095Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2026-03-04T12:57:38.774Z", "assignerShortName": "dell"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:dell:powerscale_onefs:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A810642-CEB5-493F-918D-1158F32A6273", "versionEndExcluding": "9.10.1.6", "versionStartIncluding": "9.10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:dell:powerscale_onefs:*:*:*:*:*:*:*:*", "matchCriteriaId": "23042111-E6E9-4C6B-8A89-2E7E3F44103F", "versionEndExcluding": "9.13.0.0", "versionStartIncluding": "9.11.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell PowerScale OneFS, versions 9.10.0.0 through 9.13.1.0, contains an external control of system or configuration setting vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to protection mechanism bypass."}, {"lang": "es", "value": "Dell PowerScale OneFS, versiones 9.10.0.0 a 9.10.1.5 y versiones 9.11.0.0 a 9.12.0.1, contiene una vulnerabilidad de control externo de la configuraci\u00f3n o del sistema. Un atacante con altos privilegios y acceso local podr\u00eda potencialmente explotar esta vulnerabilidad, lo que podr\u00eda llevar a la elusi\u00f3n del mecanismo de protecci\u00f3n."}], "id": "CVE-2026-21422", "lastModified": "2026-04-30T09:16:02.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.4, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 2.5, "source": "security_alert@emc.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-04T13:15:57.147", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-sg/000432452/dsa-2026-038-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-15"}], "source": "security_alert@emc.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.11.0.0,9.12.0.1]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.10.0.0,9.10.1.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "PowerScale OneFS", "source": "cna", "vendor": "Dell"}, "product": "powerscale_onefs", "vendor": "dell"}], "analysis": {"en": {"generated_at": "2026-04-17T13:11:41.924145+00:00", "value": {"mitigation_remediation": ["Apply Dell's security update for PowerScale OneFS that addresses the external control issue.", "Upgrade all affected nodes to a version beyond 9.12.0.1 to ensure the vulnerability is fixed.", "Restrict local privileged user access to the OneFS system to reduce the attack surface for potential exploitation."], "summary": {"action": "Patch", "impact": "Protection Mechanism Bypass"}, "threat_synthesis": {"affected_systems": "Dell PowerScale OneFS, versions 9.10.0.0 through 9.10.1.5 and 9.11.0.0 through 9.12.0.1 are vulnerable. These versions run on Dell\u2019s OneFS operating system and must be updated to mitigate the issue.", "description_and_impact": "The vulnerability enables a high\u2011privileged local attacker to alter system or configuration settings, allowing bypass of protection mechanisms. Identified as CWE\u201115, it indicates external control of system or configuration setting. If exploited, the integrity of the PowerScale cluster\u2019s security controls could be compromised, potentially facilitating further unauthorized actions.", "risk_and_exploitability": "The CVSS score is 3.4, reflecting low overall severity. The EPSS score is below 1 percent, indicating a very low expected exploitation rate. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a local attacker with high privileges, who can then modify configuration settings to bypass protection mechanisms. While the attack vector is limited to local privileged access, the potential impact on system integrity makes patching a prudent measure."}}}}, "created": "2026-03-04T21:03:33.189772+00:00", "title": "External Control of System Setting in Dell PowerScale OneFS Enables Protection Mechanism Bypass", "updated": "2026-04-17T13:15:19.686602+00:00", "vendors": ["dell", "dell$PRODUCT$powerscale_onefs"]}