What is the CVSS score of CVE-2026-41429?

CVE-2026-41429 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of arduino-esp32 are affected by CVE-2026-41429?

Arduino-ESP32 versions prior to 3.3.8 contain a memory corruption vulnerability in the NetBIOS packet handler that allows adjacent network attackers to execute arbitrary code on ESP32…. A patch is available.

arduino-esp32 CVE-2026-41429

EUVD-2026-25619 HIGH

Stack-based Buffer Overflow (CWE-121)

2026-04-24 GitHub_M

Buffer Overflow Stack Overflow

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 27, 2026 - 18:57 nvd

Patch available

Apr 24, 2026 - 21:02 EUVD

Re-analysis Queued

Apr 24, 2026 - 20:22 vuln.today

cvss_changed

Analysis Generated

Apr 24, 2026 - 20:16 vuln.today

EUVD ID Assigned

Apr 24, 2026 - 19:45 euvd

EUVD-2026-25619

Analysis Generated

Apr 24, 2026 - 19:45 vuln.today

CVE Published

Apr 24, 2026 - 19:19 nvd

HIGH 8.8

DescriptionNVD

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS packet handling path. When NetBIOS is enabled by calling NBNS.begin(...), the device listens on UDP port 137 and processes untrusted NBNS requests from the local network. The request parser trusts the attacker-controlled name_len field without enforcing a bound consistent with the fixed-size destination buffers used later in the flow. This vulnerability is fixed in 3.3.8.

AnalysisAI

Memory corruption in arduino-esp32's NBNS packet handler allows adjacent network attackers to achieve remote code execution on ESP32-family microcontrollers without authentication. Affects all versions prior to 3.3.8 when NetBIOS is explicitly enabled via NBNS.begin(). …

RemediationAI

Within 24 hours: Inventory all ESP32 deployments and identify devices with NBNS enabled via NBNS.begin() configuration. Within 7 days: Apply vendor-released patch to Arduino-ESP32 version 3.3.8 or later across all affected devices; coordinate staged updates to minimize operational disruption. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41429 vulnerability details – vuln.today

Back

arduino-esp32 CVE-2026-41429

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code