CVE intelligence and bounded remediation
CVE-2019-9012 — An issue was discovered in 3S-Smart CODESYS V3 products
An issue was discovered in 3S-Smart CODESYS V3 products. A crafted communication request may cause uncontrolled memory allocations in the affected CODESYS products and may result in a denial-of-service condition. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, CODESYS V3 Development System.
- Severity
- High
- CVSS
- 7.8 (2.0)
- Published
- 2019-08-15
- CISA KEV
- Not currently listed
- Ecosystem
- software/application
- Weaknesses
- CWE-770
Affected products
- codesys / control_for_beaglebone_sl
- codesys / control_for_empc-a/imx6_sl
- codesys / control_for_iot2000_sl
- codesys / control_for_linux_sl
- codesys / control_for_pfc100_sl
- codesys / control_for_pfc200_sl
Matched remediation archetype
Resource exhaustion and denial of service
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Identify attacker-influenced work factors including input size, nesting, compression, fan-out, regex cost, allocation, recursion, retries, and connection lifetime.
- Map per-request and shared CPU, memory, disk, descriptor, thread, queue, and downstream-service limits.
- Determine whether authentication, tenancy, quotas, and rate controls apply before expensive processing begins.
Remediate safely
- Bound input size, nesting, expansion, work, concurrency, queue depth, retries, and execution time before resource-intensive processing.
- Release resources on every success, error, cancellation, and timeout path and use backpressure instead of unbounded buffering.
- Update affected components and add small deterministic tests that assert resource ceilings rather than exhausting a host.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.