CVE-2026-29115 Overview
CVE-2026-29115 is a denial of service vulnerability affecting some Dahua products. An authenticated remote attacker can send a specially crafted packet to a vulnerable device, triggering an unhandled exception. The exception causes the system to reboot unexpectedly, resulting in loss of availability.
The issue is tracked under [CWE-617] Reachable Assertion. Exploitation requires network access and high privileges, but no user interaction. The vulnerability impacts device availability only, with no reported impact to confidentiality or integrity.
Critical Impact
Authenticated attackers on the network can force affected Dahua devices into an unexpected reboot, disrupting video surveillance and physical security operations.
Affected Products
- Select Dahua products as listed in Dahua Security Advisory DHCC-SA-202606-001
- Specific affected models and firmware versions: refer to vendor advisory
- CPE identifiers: Not Available in NVD at time of publication
Discovery Timeline
- 2026-06-10 - CVE-2026-29115 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-29115
Vulnerability Analysis
The vulnerability is a reachable assertion condition ([CWE-617]) in the network packet handling logic of affected Dahua products. When an authenticated attacker submits a malformed or unexpected packet structure, the device hits an exception path that is not gracefully recovered. The result is an unexpected device reboot and a service outage during the restart cycle.
Because Dahua devices are commonly deployed for video surveillance, access control, and other physical security workflows, forced reboots can create blind spots in monitoring and recording. Repeated triggering of the condition can sustain a denial of service against the device.
Root Cause
The root cause is improper handling of malformed input within an authenticated request handler. The code path reaches an exception or assertion state that terminates the running process or causes the firmware to restart, rather than rejecting the malformed input and continuing normal operation.
Attack Vector
The attack vector is network-based and requires valid authentication with high privileges on the target device. An attacker with administrative or operator credentials sends a crafted packet to a network-facing service exposed by the device. The malformed packet exercises the vulnerable code path and triggers the reboot.
No verified proof-of-concept is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. EPSS data indicates a low probability of exploitation at the current time.
// No public proof-of-concept is available. Refer to the
// Dahua Security Advisory DHCC-SA-202606-001 for technical specifics
// regarding the affected packet handler and impacted firmware versions.
Detection Methods for CVE-2026-29115
Indicators of Compromise
- Unexpected device reboots correlated with inbound authenticated sessions from unusual source IP addresses.
- Gaps in video recording or device telemetry that align with authenticated network activity on management ports.
- Repeated short-interval reboot events on Dahua devices logged by network management or SNMP monitoring.
Detection Strategies
- Monitor authentication logs for successful logins from unexpected geographies or off-hours, especially when followed by device crashes.
- Inspect packet captures on management interfaces for malformed or oversized payloads targeting Dahua services.
- Correlate device uptime metrics against authenticated session events to identify reboot-inducing requests.
Monitoring Recommendations
- Forward device syslog, authentication events, and uptime counters to a centralized log platform for correlation.
- Alert on reboot events that occur outside scheduled maintenance windows.
- Track credential usage patterns for administrative accounts on Dahua devices and flag anomalies.
How to Mitigate CVE-2026-29115
Immediate Actions Required
- Review Dahua Security Advisory DHCC-SA-202606-001 to identify affected models and firmware versions in your environment.
- Apply the firmware updates released by Dahua for the impacted products.
- Rotate administrative and operator credentials on affected devices, prioritizing accounts with remote access.
Patch Information
Dahua has published guidance and remediated firmware versions in security advisory DHCC-SA-202606-001. Administrators should download the vendor-supplied firmware for each affected model and apply it through the standard Dahua upgrade process.
Workarounds
- Restrict network access to device management interfaces using firewall rules or network segmentation, allowing only trusted management hosts.
- Disable or limit remote administrative accounts that are not strictly required for operations.
- Place Dahua devices on isolated VLANs and require VPN access for any remote configuration activity.
- Enforce strong, unique credentials for all device accounts and enable account lockout where supported.
# Example: restrict management access to a trusted subnet using iptables
# on an upstream Linux gateway protecting the camera VLAN
iptables -A FORWARD -s 10.10.20.0/24 -d 10.50.0.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 10.10.20.0/24 -d 10.50.0.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.50.0.0/24 -p tcp --dport 80 -j DROP
iptables -A FORWARD -d 10.50.0.0/24 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
