Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
4DescriptionCVE.org
nanoMODBUS through v1.22.0 has a stack-based buffer overflow in recv_read_registers_res() in nanomodbus.c. When a client calls nmbs_read_holding_registers() or nmbs_read_input_registers(), the library writes register data from the server response to the caller-provided buffer based on the response's byte_count field before validating that byte_count matches the requested quantity. A malicious Modbus TCP server can send a response with byte_count=250 (125 registers) regardless of the requested quantity, causing up to 248 bytes of attacker-controlled data to overflow the buffer, potentially allowing remote code execution.
AnalysisAI
Stack-based buffer overflow in nanoMODBUS v1.22.0 and earlier allows malicious Modbus TCP servers to execute arbitrary code on clients via oversized responses. When client applications call nmbs_read_holding_registers() or nmbs_read_input_registers(), the library fails to validate byte_count before writing server data to the caller's buffer, enabling up to 248 bytes of controlled overflow. No active exploitation confirmed (not in CISA KEV), but proof-of-concept code is publicly available and the vulnerability is automatable (SSVC) with network attack vector (CVSS AV:N/AC:L/PR:N). EPSS data not provided, but the combination of public POC, low complexity, and RCE potential warrants immediate attention for systems using nanoMODBUS as a client.
Technical ContextAI
nanoMODBUS is a lightweight Modbus RTU/TCP library implemented in C. The vulnerability resides in the recv_read_registers_res() function in nanomodbus.c (lines 580-615 per GitHub reference), which handles Modbus function codes 0x03 (Read Holding Registers) and 0x04 (Read Input Registers) responses. The CWE-121 (Stack-based Buffer Overflow) occurs because the library trusts the byte_count field from the server response before validating it against the originally requested quantity of registers. In Modbus protocol, each register is 2 bytes, so a malicious server sending byte_count=250 provides 125 registers worth of data. When the client allocated a buffer for fewer registers (e.g., 1 register = 2 bytes), the memcpy-equivalent operation writes 248 bytes beyond the allocated buffer on the stack, overwriting return addresses or other critical stack data. This is a classic integer-to-buffer mismatch where external input (untrusted server response) controls a memory operation size without proper bounds checking.
RemediationAI
Upgrade to nanoMODBUS version greater than v1.22.0 once a patched release is available - no fix version is specified in the provided intelligence, and the GitHub repository reference points to vulnerable code rather than a patch commit. Monitor the official repository (https://github.com/debevv/nanoMODBUS) for security advisories and patch releases. Until a vendor patch is released, implement compensating controls: (1) Restrict nanoMODBUS client applications to connect only to authenticated and trusted Modbus TCP servers within isolated OT networks, using network segmentation and firewall rules to prevent connections to untrusted endpoints; (2) If feasible, implement application-level validation by wrapping nmbs_read_holding_registers() and nmbs_read_input_registers() calls with checks that allocate maximum-sized buffers (250 bytes) regardless of requested quantity, though this wastes memory and does not address the root cause; (3) Deploy exploit mitigations such as stack canaries (compile with -fstack-protector-strong), ASLR, and DEP/NX to increase exploitation difficulty, recognizing these are defense-in-depth measures that raise the bar but do not eliminate the vulnerability. The POC availability (https://gist.github.com/dwilliams27/a4e26fe747c8561d608f7549804bd85f) can help validate mitigations in lab environments.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28785
GHSA-5hc8-p74q-47pp