CVE-2026-23568
📋 TL;DR
An out-of-bounds read vulnerability in TeamViewer DEX Client's Content Distribution Service (NomadBranch.exe) allows adjacent network attackers to read memory contents, potentially disclosing sensitive information or causing denial-of-service. This affects Windows systems running TeamViewer DEX Client versions before 26.1. The vulnerability could help bypass ASLR protections to enable further exploitation.
💻 Affected Systems
- TeamViewer DEX Client (formerly 1E Client)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Memory disclosure leads to ASLR bypass enabling remote code execution, full system compromise, and lateral movement through the network.
Likely Case
Information disclosure revealing memory contents, potential denial-of-service crashes, and reconnaissance data for further attacks.
If Mitigated
Limited to adjacent network access, reducing exposure compared to internet-facing systems.
🎯 Exploit Status
Exploitation requires adjacent network access and crafting of special packets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 26.1
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
Restart Required: Yes
Instructions:
1. Download TeamViewer DEX Client version 26.1 or later from official TeamViewer sources. 2. Install the update following vendor instructions. 3. Restart the system to ensure the patch is fully applied.
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict network access to NomadBranch.exe service to trusted hosts only using firewall rules.
netsh advfirewall firewall add rule name="Block NomadBranch" dir=in action=block protocol=TCP localport=5938 program="%ProgramFiles%\TeamViewer\NomadBranch.exe"
netsh advfirewall firewall add rule name="Block NomadBranch UDP" dir=in action=block protocol=UDP localport=5938 program="%ProgramFiles%\TeamViewer\NomadBranch.exe"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems running vulnerable TeamViewer DEX Client from untrusted networks.
- Monitor network traffic to/from NomadBranch.exe for anomalous patterns and implement intrusion detection rules.
🔍 How to Verify
Check if Vulnerable:
Check TeamViewer DEX Client version in installed programs or via 'NomadBranch.exe' file properties.Check Version:
wmic product where "name like 'TeamViewer DEX%'" get versionVerify Fix Applied:
Verify installed version is 26.1 or higher in program details or file properties.📡 Detection & Monitoring
Log Indicators:
- Application crashes of NomadBranch.exe in Windows Event Logs
- Unusual network connections to NomadBranch.exe service
Network Indicators:
- Anomalous packets to port 5938 (default NomadBranch port)
- Unexpected out-of-bounds memory read attempts in network traffic
SIEM Query:
source="windows" AND (event_id=1000 OR event_id=1001) AND process_name="NomadBranch.exe"