Summary
FlashGrid software update is required to address the CVE-2026-45447 vulnerability in OpenSSL library. There is no immediate exposure in FlashGrid software unless an attacker also injects malicious data in the DNS resolver used by the system.
Description
If an attacker can modify records in the DNS resolver used by the system then the attacker can redirect legitimate requests from FlashGrid software to a malicious server to exploit CVE-2026-45447 and cause application crashes, memory corruption, or potential remote code execution.
FlashGrid software uses the OpenSSL library to make calls only for sending alerts to FlashGrid support. The endpoint for receiving the alerts is managed by FlashGrid, therefore there is no immediate exposure to the vulnerability if the DNS resolver is not compromised. There is no immediate exposure to the vulnerability if automatically sending alerts to FlashGrid support is disabled.
Affected Products
FlashGrid Cluster on AWS/Azure/Google Cloud
FlashGrid Server on AWS/Azure/Google Cloud
FlashGrid Storage Fabric (on-premises)
Affected Versions
flashgrid-sf RPM versions earlier than 26.3.110 are affected.
To confirm version of the installed flashgrid-sf RPM run:
rpm -q flashgrid-sf
First Unaffected Version
26.3.110 and above are unaffected.
Root Cause
OpenSSL bug.
Resolution
- Cloud environments: update FlashGrid software to version 26.3.110 or newer using FlashGrid Node Update package.
-
FlashGrid Storage Fabric (on-premises): update the following FlashGrid RPMs to version 26.3.110 or newer:
- flashgrid-sf
- flashgrid-diags
- flashgrid-health-check
- flashgrid-iscsid-fix