Skip to main content

arduino-esp32 CVE-2026-41429

| EUVDEUVD-2026-25619 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-04-24 GitHub_M
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
Apr 27, 2026 - 18:57 nvd
Patch available
Patch available
Apr 24, 2026 - 21:02 EUVD
Re-analysis Queued
Apr 24, 2026 - 20:22 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 20:16 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 19:45 euvd
EUVD-2026-25619
Analysis Generated
Apr 24, 2026 - 19:45 vuln.today
CVE Published
Apr 24, 2026 - 19:19 nvd
HIGH 8.8

DescriptionGitHub Advisory

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS packet handling path. When NetBIOS is enabled by calling NBNS.begin(...), the device listens on UDP port 137 and processes untrusted NBNS requests from the local network. The request parser trusts the attacker-controlled name_len field without enforcing a bound consistent with the fixed-size destination buffers used later in the flow. This vulnerability is fixed in 3.3.8.

AnalysisAI

Memory corruption in arduino-esp32's NBNS packet handler allows adjacent network attackers to achieve remote code execution on ESP32-family microcontrollers without authentication. Affects all versions prior to 3.3.8 when NetBIOS is explicitly enabled via NBNS.begin(). The parser trusts attacker-controlled name_len field from UDP port 137 traffic, writing unbounded data to fixed-size buffers. EPSS data not available, no CISA KEV listing, but GitHub security advisory confirms the vulnerability with patch released in version 3.3.8.

Technical ContextAI

This vulnerability affects the arduino-esp32 core library used for programming ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, and ESP32-H2 microcontrollers in the Arduino development environment. NetBIOS Name Service (NBNS) is a legacy protocol operating on UDP port 137 for name resolution in local networks, primarily used for Windows network discovery. The vulnerability is a classic unbounded copy issue (CWE-121: Stack-based Buffer Overflow) where the NBNS request parser reads the name_len field from an incoming packet and uses it to copy data into fixed-size stack or heap buffers without validating that the length fits within the destination buffer bounds. ESP32 microcontrollers are resource-constrained embedded devices commonly used in IoT applications, smart home devices, and industrial control systems, making memory safety vulnerabilities particularly critical as they often lack modern exploit mitigations like DEP or ASLR.

RemediationAI

Upgrade arduino-esp32 to version 3.3.8 or later, which contains bounds checking for the name_len field in the NBNS packet parser. Update the library through the Arduino IDE Library Manager or modify the platform definition in the Arduino cores directory. For deployments unable to immediately upgrade, disable NetBIOS functionality by removing all NBNS.begin() calls from application code-this completely eliminates the attack surface as the vulnerable code path is only reachable when NBNS is explicitly started. As a network-level compensating control, implement firewall rules to block incoming UDP port 137 traffic to ESP32 devices, though this may break legitimate NetBIOS name resolution functionality if required by the application. For defense-in-depth, segment IoT devices into isolated VLANs with strict ingress filtering to limit adjacent network access, reducing the pool of potential attackers who can reach UDP 137. Review application code to verify whether NetBIOS is actually required for functionality, as many ESP32 deployments include it unnecessarily during development testing.

Share

CVE-2026-41429 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy