Skip to main content

nanoMODBUS CVE-2026-29972

| EUVDEUVD-2026-28785 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-05-08 mitre GHSA-5hc8-p74q-47pp
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 19:00 vuln.today
CVSS changed
May 08, 2026 - 17:22 NVD
8.2 (HIGH)
CVE Published
May 08, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 00:00 nvd
HIGH 8.2

DescriptionCVE.org

nanoMODBUS through v1.22.0 has a stack-based buffer overflow in recv_read_registers_res() in nanomodbus.c. When a client calls nmbs_read_holding_registers() or nmbs_read_input_registers(), the library writes register data from the server response to the caller-provided buffer based on the response's byte_count field before validating that byte_count matches the requested quantity. A malicious Modbus TCP server can send a response with byte_count=250 (125 registers) regardless of the requested quantity, causing up to 248 bytes of attacker-controlled data to overflow the buffer, potentially allowing remote code execution.

AnalysisAI

Stack-based buffer overflow in nanoMODBUS v1.22.0 and earlier allows malicious Modbus TCP servers to execute arbitrary code on clients via oversized responses. When client applications call nmbs_read_holding_registers() or nmbs_read_input_registers(), the library fails to validate byte_count before writing server data to the caller's buffer, enabling up to 248 bytes of controlled overflow. No active exploitation confirmed (not in CISA KEV), but proof-of-concept code is publicly available and the vulnerability is automatable (SSVC) with network attack vector (CVSS AV:N/AC:L/PR:N). EPSS data not provided, but the combination of public POC, low complexity, and RCE potential warrants immediate attention for systems using nanoMODBUS as a client.

Technical ContextAI

nanoMODBUS is a lightweight Modbus RTU/TCP library implemented in C. The vulnerability resides in the recv_read_registers_res() function in nanomodbus.c (lines 580-615 per GitHub reference), which handles Modbus function codes 0x03 (Read Holding Registers) and 0x04 (Read Input Registers) responses. The CWE-121 (Stack-based Buffer Overflow) occurs because the library trusts the byte_count field from the server response before validating it against the originally requested quantity of registers. In Modbus protocol, each register is 2 bytes, so a malicious server sending byte_count=250 provides 125 registers worth of data. When the client allocated a buffer for fewer registers (e.g., 1 register = 2 bytes), the memcpy-equivalent operation writes 248 bytes beyond the allocated buffer on the stack, overwriting return addresses or other critical stack data. This is a classic integer-to-buffer mismatch where external input (untrusted server response) controls a memory operation size without proper bounds checking.

RemediationAI

Upgrade to nanoMODBUS version greater than v1.22.0 once a patched release is available - no fix version is specified in the provided intelligence, and the GitHub repository reference points to vulnerable code rather than a patch commit. Monitor the official repository (https://github.com/debevv/nanoMODBUS) for security advisories and patch releases. Until a vendor patch is released, implement compensating controls: (1) Restrict nanoMODBUS client applications to connect only to authenticated and trusted Modbus TCP servers within isolated OT networks, using network segmentation and firewall rules to prevent connections to untrusted endpoints; (2) If feasible, implement application-level validation by wrapping nmbs_read_holding_registers() and nmbs_read_input_registers() calls with checks that allocate maximum-sized buffers (250 bytes) regardless of requested quantity, though this wastes memory and does not address the root cause; (3) Deploy exploit mitigations such as stack canaries (compile with -fstack-protector-strong), ASLR, and DEP/NX to increase exploitation difficulty, recognizing these are defense-in-depth measures that raise the bar but do not eliminate the vulnerability. The POC availability (https://gist.github.com/dwilliams27/a4e26fe747c8561d608f7549804bd85f) can help validate mitigations in lab environments.

Share

CVE-2026-29972 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy