CVE-2026-23569
📋 TL;DR
An out-of-bounds read vulnerability in TeamViewer DEX Client's Content Distribution Service allows remote attackers to leak stack memory and cause denial of service via crafted requests. This memory leak could help bypass ASLR and facilitate exploitation of other vulnerabilities. Affects TeamViewer DEX Client (formerly 1E Client) users on Windows systems.
💻 Affected Systems
- TeamViewer DEX Client (formerly 1E Client) - Content Distribution Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker bypasses ASLR, combines with other vulnerabilities to achieve remote code execution, potentially compromising the entire system.
Likely Case
Denial of service through service crashes and limited memory disclosure that could aid in further attacks.
If Mitigated
Service disruption with minimal data exposure if proper network segmentation and monitoring are in place.
🎯 Exploit Status
Vulnerability requires crafting specific requests but no authentication needed. Memory leak could be chained with other vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 26.1 or later
Vendor Advisory: https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/
Restart Required: Yes
Instructions:
1. Download TeamViewer DEX Client version 26.1 or later from official sources. 2. Run the installer to upgrade existing installation. 3. Restart the system or service to apply changes.
🔧 Temporary Workarounds
Disable Content Distribution Service
windowsTemporarily disable the vulnerable NomadBranch.exe service if not required for operations.
sc stop NomadBranch
sc config NomadBranch start= disabled
Network Segmentation
windowsRestrict network access to the Content Distribution Service port (default 5938) using firewall rules.
netsh advfirewall firewall add rule name="Block NomadBranch" dir=in action=block protocol=TCP localport=5938
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks
- Deploy host-based intrusion detection to monitor for exploitation attempts and service crashes
🔍 How to Verify
Check if Vulnerable:
Check NomadBranch.exe version: Right-click file → Properties → Details tab, version should be 26.1 or higher.Check Version:
wmic datafile where name="C:\\Program Files\\TeamViewer\\NomadBranch.exe" get versionVerify Fix Applied:
Verify service is running version 26.1+ and monitor for crashes or unusual memory patterns.📡 Detection & Monitoring
Log Indicators:
- Unexpected NomadBranch.exe service crashes
- High memory usage patterns in NomadBranch.exe
- Windows Event Logs showing application errors for NomadBranch
Network Indicators:
- Unusual traffic patterns to port 5938
- Multiple malformed requests to Content Distribution Service
SIEM Query:
source="windows" AND (process_name="NomadBranch.exe" AND (event_id=1000 OR event_id=1001)) OR (destination_port=5938 AND payload_size<100)