CVE-2026-23567
📋 TL;DR
An integer underflow vulnerability in TeamViewer DEX Client's UDP command handler allows adjacent network attackers to trigger heap-based buffer overflow via crafted UDP packets, causing denial-of-service through service crashes. This affects Windows systems running TeamViewer DEX Client (formerly 1E Client) Content Distribution Service versions prior to 26.1.
💻 Affected Systems
- TeamViewer DEX Client (formerly 1E Client) - Content Distribution Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to full system compromise if buffer overflow can be weaponized beyond DoS
Likely Case
Service crashes causing disruption to TeamViewer DEX Client functionality and potential system instability
If Mitigated
Limited to service disruption with no data compromise if proper network segmentation exists
🎯 Exploit Status
Adjacent network access required; exploitation involves sending crafted UDP packets to trigger integer underflow
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 26.1 or later
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
Restart Required: Yes
Instructions:
1. Download TeamViewer DEX Client version 26.1 or later from official TeamViewer sources. 2. Install the update following vendor instructions. 3. Restart the NomadBranch.exe service or reboot the system.
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict UDP traffic to NomadBranch.exe service to trusted network segments only
Windows Firewall: New-NetFirewallRule -DisplayName "Block NomadBranch UDP" -Direction Inbound -Protocol UDP -LocalPort <port_number> -Action Block
Service Disablement
windowsTemporarily disable the Content Distribution Service if not required
sc stop NomadBranch
sc config NomadBranch start= disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems running vulnerable versions from untrusted networks
- Deploy host-based firewall rules to block all UDP traffic to the NomadBranch.exe service
🔍 How to Verify
Check if Vulnerable:
Check NomadBranch.exe version: Right-click executable → Properties → Details tab, or use PowerShell: Get-Item "C:\Program Files\TeamViewer\NomadBranch.exe" | Select-Object -ExpandProperty VersionInfoCheck Version:
powershell "(Get-Item 'C:\Program Files\TeamViewer\NomadBranch.exe').VersionInfo.FileVersion"Verify Fix Applied:
Confirm version is 26.1.0.0 or higher using same method as above📡 Detection & Monitoring
Log Indicators:
- Application crash logs for NomadBranch.exe
- Windows Event Logs: Application crashes with exception codes like 0xC0000005 (ACCESS_VIOLATION)
Network Indicators:
- Unusual UDP traffic to port used by NomadBranch.exe (default 5938)
- High volume of malformed UDP packets from single source
SIEM Query:
source="windows" AND (event_id=1000 OR event_id=1001) AND process_name="NomadBranch.exe"