DSA-2026-172: Security Update for Dell PowerScale OneFS Multiple Vulnerabilities
Summary: Dell PowerScale OneFS remediation is available for insufficient logging vulnerability that could be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Medium
Details
| Third-party Component | CVEs | More Information |
| OpenSSL | CVE-2025-15467, CVE-2025-69419, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796 | |
| libexpat | CVE-2026-25210 | |
| OpenSSH | CVE-2025-61984, CVE-2025-61985 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2026-32803 | Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.6, 9.6.0.0 through 9.7.1.13, 9.8.0.0 through 9.10.1.5 and 9.11.0.0 through 9.12.0.1 contains an Insufficient Logging vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. | 3.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| CVE-2026-40640 |
Dell PowerScale OneFS versions 9.5.0.0 through 9.10.1.6, versions 9.11.0.0 through 9.13.0.2 contains an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. |
5.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2026-40634 |
Dell PowerScale OneFS versions 9.12.0.0 through 9.13.1.0, contains an Improper Control of Resource Identifiers ('Resource Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Denial of service. |
4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2026-32803 | Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.6, 9.6.0.0 through 9.7.1.13, 9.8.0.0 through 9.10.1.5 and 9.11.0.0 through 9.12.0.1 contains an Insufficient Logging vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. | 3.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| CVE-2026-40640 |
Dell PowerScale OneFS versions 9.5.0.0 through 9.10.1.6, versions 9.11.0.0 through 9.13.0.2 contains an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. |
5.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2026-40634 |
Dell PowerScale OneFS versions 9.12.0.0 through 9.13.1.0, contains an Improper Control of Resource Identifiers ('Resource Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Denial of service. |
4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
Affected Products & Remediation
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Link |
| CVE-2026-32803 | PowerScale Onefs | Versions 9.5.0.0 through 9.5.1.6 | Version 9.5.1.7 or later | PowerScale OneFS Downloads Area |
| CVE-2026-32803 | PowerScale Onefs | Versions 9.6.0.0 through 9.7.1.13 | Version 9.7.1.14 or later | PowerScale OneFS Downloads Area |
| CVE-2026-32803 | PowerScale Onefs | Versions 9.8.0.0 through 9.10.1.5 | Version 9.10.1.6 or later | PowerScale OneFS Downloads Area |
| CVE-2026-32803 | PowerScale Onefs | Versions 9.11.0.0 through 9.12.0.1 | Version 9.13.0.0 or later | PowerScale OneFS Downloads Area |
| CVE-2025-15467, CVE-2025-69419, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796, CVE-2026-40640, CVE-2026-25210 | PowerScale Onefs | Versions 9.5.0.0 through 9.10.1.6 | Version 9.10.1.7 or later | PowerScale OneFS Downloads Area |
| CVE-2025-15467, CVE-2025-69419, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796, CVE-2026-40640, CVE-2026-25210 | PowerScale Onefs | Versions 9.11.0.0 through 9.13.0.2 | Version 9.13.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2025-61984, CVE-2025-61985 | PowerScale Onefs | Versions 9.5.0.0 through 9.13.0.2 | Version 9.13.1.0 or later | PowerScale OneFS Downloads Area |
| CVEs Addressed | Product | Affected Versions | Remediated Versions | Link |
| CVE-2026-32803 | PowerScale Onefs | Versions 9.5.0.0 through 9.5.1.6 | Version 9.5.1.7 or later | PowerScale OneFS Downloads Area |
| CVE-2026-32803 | PowerScale Onefs | Versions 9.6.0.0 through 9.7.1.13 | Version 9.7.1.14 or later | PowerScale OneFS Downloads Area |
| CVE-2026-32803 | PowerScale Onefs | Versions 9.8.0.0 through 9.10.1.5 | Version 9.10.1.6 or later | PowerScale OneFS Downloads Area |
| CVE-2026-32803 | PowerScale Onefs | Versions 9.11.0.0 through 9.12.0.1 | Version 9.13.0.0 or later | PowerScale OneFS Downloads Area |
| CVE-2025-15467, CVE-2025-69419, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796, CVE-2026-40640, CVE-2026-25210 | PowerScale Onefs | Versions 9.5.0.0 through 9.10.1.6 | Version 9.10.1.7 or later | PowerScale OneFS Downloads Area |
| CVE-2025-15467, CVE-2025-69419, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796, CVE-2026-40640, CVE-2026-25210 | PowerScale Onefs | Versions 9.11.0.0 through 9.13.0.2 | Version 9.13.1.0 or later | PowerScale OneFS Downloads Area |
| CVE-2025-61984, CVE-2025-61985 | PowerScale Onefs | Versions 9.5.0.0 through 9.13.0.2 | Version 9.13.1.0 or later | PowerScale OneFS Downloads Area |
We encourage all customers to adopt the Long-Term Support (LTS) 2025 version which is 9.10.1.x code line, with the latest maintenance release.
For more information on LTS code lines, see Dell Infrastructure Solutions Group (ISG) LTS Release Support Customer Summary and Security Update Release Schedule for Supported Versions of Dell PowerScale OneFS.
Workarounds & Mitigations
| CVE ID | Workaround and Mitigation |
| CVE-2026-40634 | To mitigate this vulnerability, the security recommendation is to use a dedicated logging target bucket and do not grant general users write access to that bucket. This prevents a user from creating conflicting objects in the log destination and preserves logging integrity.Operational guidance:Dedicated target logging bucket: Configure a specific, dedicated logging bucket as the logging target bucket (separate from source buckets).ACL / permissions: Do NOT grant WRITE access on the logging bucket to non-admin or non-source-bucket-owners.Integrity / immutability: If immutable retention is required, enable S3 Lock on the dedicated logging bucket (and use appropriate retention governance/compliance settings per your deployment policy).With the above configuration, malicious users cannot pre-create objects in the LogKey path (including using the source bucket name) to block LogCache log dump, and cannot manually insert custom data into the logging destination. |
Revision History
| Revision | Date | Description |
| 1.0 | 2026-05-05 | Initial Release |
| 2.0 | 2026-05-25 | Revised DSA to include CVEs CVE-2026-40640, CVE-2025-15467, CVE-2025-69419, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796, CVE-2026-40634, CVE-2026-25210,CVE-2025-61984, CVE-2025-61985 |
Related Information
Legal Disclaimer
Affected Products
PowerScale OneFSArticle Properties
Article Number: 000461228
Article Type: Dell Security Advisory
Last Modified: 25 May 2026
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.