CVE-2026-23565: TeamViewer DEX Client DoS Vulnerability

CVE-2026-23565 Overview

A vulnerability exists in the TeamViewer DEX Client (formerly known as 1E Client) Content Distribution Service (NomadBranch.exe) prior to version 26.1 for Windows. This flaw allows an attacker on an adjacent network to send specially crafted requests that cause the NomadBranch.exe process to terminate unexpectedly. Successful exploitation results in a denial-of-service condition affecting the Content Distribution Service.

Critical Impact

An attacker with access to the adjacent network can remotely disrupt the Content Distribution Service, potentially affecting software deployment and content distribution operations across the enterprise network.

Affected Products

• TeamViewer DEX Client (formerly 1E Client) for Windows prior to version 26.1
• Content Distribution Service (NomadBranch.exe) component

Discovery Timeline

• 2026-01-29 - CVE CVE-2026-23565 published to NVD
• 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2026-23565

Vulnerability Analysis

This vulnerability is classified as a Null Pointer Dereference (CWE-476), a memory corruption issue that occurs when the application attempts to use a pointer that has a null value. In the context of the TeamViewer DEX Client's Content Distribution Service, the NomadBranch.exe process fails to properly validate input before dereferencing memory pointers when processing incoming network requests.

The vulnerability requires the attacker to be on an adjacent network, which limits the attack surface compared to remotely exploitable vulnerabilities. However, in enterprise environments where the DEX Client is deployed across multiple network segments, this could still pose significant operational risk.

Root Cause

The root cause is a Null Pointer Dereference vulnerability (CWE-476) in the NomadBranch.exe process. When the Content Distribution Service receives malformed or specially crafted network requests, the application fails to perform adequate null checks on pointer values before dereferencing them. This improper input handling allows an attacker to trigger conditions where the service attempts to access memory through a null pointer, causing an immediate process crash.

Attack Vector

The attack vector requires adjacency to the target network (Adjacent Network). An attacker positioned on the same network segment as the vulnerable TeamViewer DEX Client can send crafted requests to the Content Distribution Service. The attack does not require user interaction or authentication, making it relatively straightforward to execute once network access is obtained. The malicious requests exploit the null pointer dereference condition, causing the NomadBranch.exe process to terminate and resulting in service disruption.

The vulnerability can be exploited by crafting network packets that trigger the null pointer condition in the request handling logic of the Content Distribution Service. When the service processes these malformed requests, it fails to properly validate the data, leading to the dereference of a null pointer and subsequent process termination. For detailed technical information, refer to the TeamViewer Security Bulletin TV-2026-1001.

Detection Methods for CVE-2026-23565

Indicators of Compromise

• Unexpected termination or crashes of the NomadBranch.exe process
• Windows Event Log entries indicating application crashes related to null pointer access violations
• Repeated service restarts of the Content Distribution Service
• Unusual network traffic patterns on ports used by the DEX Client Content Distribution Service

Detection Strategies

• Monitor Windows Application and System Event Logs for crash events involving NomadBranch.exe
• Implement network intrusion detection rules to identify malformed requests targeting the Content Distribution Service
• Deploy endpoint detection to alert on repeated process crashes or service terminations
• Use SentinelOne's behavioral AI to detect anomalous process termination patterns indicative of exploitation attempts

Monitoring Recommendations

• Configure alerts for NomadBranch.exe process termination events across managed endpoints
• Establish baseline network traffic patterns for the Content Distribution Service to identify anomalous activity
• Enable verbose logging on TeamViewer DEX Client installations to capture detailed request information
• Implement network segmentation monitoring to detect lateral movement attempts from adjacent networks

How to Mitigate CVE-2026-23565

Immediate Actions Required

• Update TeamViewer DEX Client to version 26.1 or later immediately
• Review network segmentation to limit adjacent network access to systems running the Content Distribution Service
• Implement firewall rules to restrict access to the Content Distribution Service to authorized systems only
• Monitor for exploitation attempts using endpoint detection and network monitoring solutions

Patch Information

TeamViewer has released version 26.1 of the DEX Client which addresses this vulnerability. Organizations should upgrade to version 26.1 or later to remediate this issue. Refer to the TeamViewer Security Bulletin TV-2026-1001 for official patch information and download links.

Workarounds

• Implement network access controls to restrict which systems can communicate with the Content Distribution Service
• Configure host-based firewalls on affected systems to limit inbound connections to trusted sources only
• Temporarily disable the Content Distribution Service if not required for critical operations until patching can be completed
• Isolate vulnerable systems on separate network segments with strict access controls

# Example Windows Firewall rule to restrict access to NomadBranch service
netsh advfirewall firewall add rule name="Restrict NomadBranch Access" dir=in action=block program="%ProgramFiles%\TeamViewer\NomadBranch.exe" remoteip=any
netsh advfirewall firewall add rule name="Allow NomadBranch Trusted" dir=in action=allow program="%ProgramFiles%\TeamViewer\NomadBranch.exe" remoteip=10.0.0.0/8